Home

Description

Insufficiently Protected Credentials vulnerability in SicommNet BASEC on SaaS allows Password Recovery. Passwords are either stored in plain text using reversible encryption, allowing an attacker with sufficient privileges to extract plain text passwords easily. This issue affects BASEC: from 14 Dec 2021.

PUBLISHED Reserved 2025-01-03 | Published 2025-04-14 | Updated 2025-04-15 | Assigner DIVD




HIGH: 8.4CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:Y/V:C

CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/AU:Y/V:C

When combined with CVE-2025-22371

Problem types

CWE-522 Insufficiently Protected Credentials

Product status

Default status
unknown

14 Dec 2021 (custom)
affected

Credits

Jesse Meijer (DIVD) finder

Frank Breedijk (DIVD) analyst

References

basec.sicomm.net/login/ product

csirt.divd.nl/DIVD-2025-00001 third-party-advisory

csirt.divd.nl/CVE-2025-22372 third-party-advisory

cve.org (CVE-2025-22372)

nvd.nist.gov (CVE-2025-22372)

Download JSON