Critical vulnerabilities found in procurement platform used by U.S. public sector

One of our researchers has identified three critical vulnerabilities in the SicommNet BASEC e-procurement system, primarily used by U.S. public sector agencies. These vulnerabilities allow malicious actors to bypass all security measures in the system, granting them access to and control over the entire platform — including all customer data stored in its database.

The vulnerabilities were first identified in December 2021. Despite repeated notifications over several years — by Jesse Meijer, the DIVD CSIRT, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) — SicommNet has not provided any response to date. In line with our policy as a CNA (CVE Numbering Authority), we are therefore issuing an official product warning today — the first such warning ever issued by DIVD.

If you are currently using or in the past have used SicommNet BASEC, we urge you to:

  • Stop using the online service
  • Consider all data in the tool compromised
    • Do not trust any data in the tool, it’s possibly altered by a malicious actor
    • Consider all data in the tool leaked
    • Inform any person of which personal identifiable data (PII) is stored in the tool that their PII has leaked
    • Report the leak to the appropriate authorities. 

Background and timeline
In December 2021, during unrelated research, Jesse Meijer discovered publicly accessible source code of SicommNet BASEC. This led to the identification of critical vulnerabilities, confirmed in both the code and the online system. Despite several attempts to contact SicommNet — through emails, LinkedIn messages, and voicemails — and multiple reports sent to SicommNet Support and company executives between February 2022 and early 2025, including follow-ups by DIVD CSIRT and after intervention by CISA, no response was ever received.

Quote – Frank Breedijk, Crisis Manager & CNA DIVD

“Given that vulnerabilities like these have been present in an online tool for so long, it would surprise me if it hasn’t already been exploited. We would like to extend our sincere thanks to the people at CISA for their assistance in trying to reach out — despite receiving no response.”

Casefile: https://csirt.divd.nl/cases/DIVD-2025-00001/ 

Product warning: https://csirt.divd.nl/2025/04/14/SicommNet-Basec-product-warning/