CVE-2025-22372

Insecure password storage in SicommNet BASEC

CVE CVE-2025-22372
Title Insecure password storage in SicommNet BASEC
Case DIVD-2025-00001
Credits
Affected products
Product Affected Unaffected Unknown
SicommNet BASEC on SaaS >= 14 Dec 2021 to < * (custom)
everything else
CVSS Scenario 1 : GENERAL
Base score 8.4 - HIGH
Attack Vector LOCAL
Attack Complexity> LOW
Attack Requirements NONE
Privileges Required HIGH
Confidentiality Impact
Vulnerable system HIGH Subsequent systems NONE
Integrity Impact
Vulnerable system HIGH Subsequent systems NONE
Availability Impact
Vulnerable system HIGH Subsequent systems NONE
Safety impact NOT_DEFINED
Automatable YES
Recovery NOT_DEFINED
Value Density CONCENTRATED
Vulnerability Response effort NOT_DEFINED
Provider Urgency NOT_DEFINED

Scenario 2 : When combined with CVE-2025-22371
Base score 9.3 - CRITICAL
Attack Vector NETWORK
Attack Complexity> LOW
Attack Requirements NONE
Privileges Required NONE
Confidentiality Impact
Vulnerable system HIGH Subsequent systems LOW
Integrity Impact
Vulnerable system HIGH Subsequent systems LOW
Availability Impact
Vulnerable system HIGH Subsequent systems LOW
Safety impact NOT_DEFINED
Automatable YES
Recovery NOT_DEFINED
Value Density CONCENTRATED
Vulnerability Response effort NOT_DEFINED
Provider Urgency NOT_DEFINED
References
Problem type(s) CWE-522 Insufficiently Protected Credentials
Impact(s) CAPEC-50 Password Recovery Exploitation
Exploit(s) Given that vulnerability has been exposed for over 3 years, users should consider the service and all the data in it as compromised.
Date published 12 Apr 2025 00:00 UTC
Last modified

Description

Insufficiently Protected Credentials vulnerability in SicommNet BASEC on SaaS allows Password Recovery.

Passwords are either stored in plain text using reversible encryption, allowing an attacker with sufficient privileges to extract plain text passwords easily.

This issue affects BASEC: from 14 Dec 2021.


JSON version.