CVE-2025-22371 CRITICAL

CVE-2025-22371: SQL-injection in admin_login_handler allows unauthenticated user to log in as an administrator in SicommNet BASEC

Vendor Sicommnet
Product BASEC
Weakness CWE-89 · SQLi
Published April 14, 2025
Last update April 21, 2025

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N/AU:Y/V:C

What the vulnerability does

01Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SicommNet BASEC (SaaS Service) login page allows an unauthenticated remote attacker to Bypass Authentication and execute arbitrary SQL commands.This issue at least affects BASEC for the date of 14 Dec 2021 onwards. It is very likely that this vulnerability has been present in the solution before that. The issue was fixed by SicommNet around 11pm on 16 april 2025 (Eastern Time)

Key dates

02Disclosure timeline

April 14, 2025 CVE published
April 21, 2025 Record updated