CVE-2025-15623

| EUVD-2025-209513 CRITICAL
2026-04-17 NCSC-FI GHSA-mqmv-fjj3-cwjx
Information Disclosure
9.3
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:X/V:C/RE:M/U:Red
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
P

Lifecycle Timeline

4
Analysis Updated
Apr 17, 2026 - 15:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 17, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 17, 2026 - 11:26 vuln.today
CVSS Changed
Apr 17, 2026 - 09:22 NVD
9.3 (CRITICAL)

DescriptionNVD

Exposure of Private Personal Information to an Unauthorized Actor, : Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server.

Unauthenticated user can retrieve database password in plaintext in certain situations

AnalysisAI

Sparx Systems Pro Cloud Server 6.0.163 exposes database credentials in plaintext to unauthenticated remote attackers through an unprotected information disclosure endpoint. The vulnerability enables attackers to retrieve sensitive system configuration including database passwords without authentication (CVSS:4.0 9.3 Critical, AV:N/PR:N). CISA SSVC classifies this as automatable with total technical impact, though no active exploitation is currently documented (EPSS 0.05%, no KEV listing). Patch available in version 6.1+ per vendor security advisory.

Technical ContextAI

The vulnerability affects Sparx Systems Pro Cloud Server (cpe:2.3:a:sparx_systems_pty_ltd.:sparx_pro_cloud_server), an enterprise model repository and collaboration platform. This is a CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor) flaw where the application fails to properly protect sensitive system configuration data. The dual CWE classification also includes exposure of sensitive system information to unauthorized control spheres, indicating both user data and infrastructure credentials are at risk. The vulnerability exists in the web interface or API layer where authentication controls are bypassed or absent for configuration retrieval endpoints. Sparx Pro Cloud Server manages enterprise architecture models and stores connection credentials to backend databases, making credential exposure particularly severe as it grants full database access including all stored architectural models, user data, and metadata.

RemediationAI

Upgrade Sparx Pro Cloud Server to version 6.1 or later immediately, as documented in the vendor's product history at https://sparxsystems.com/products/procloudserver/6.1/history.html. After upgrading, rotate all database credentials that were potentially exposed, including changing passwords for database users referenced in Pro Cloud Server configuration files. Review database access logs for unauthorized connections originating from unexpected IP addresses or occurring during timeframes when the vulnerable version was deployed. If immediate patching is not feasible, implement compensating controls: restrict network access to Pro Cloud Server administrative interfaces using firewall rules permitting only trusted management networks (NOT internet-facing), deploy web application firewall rules to block requests to configuration or diagnostic endpoints that may leak credentials, and enable comprehensive access logging to detect reconnaissance attempts. Note that network restrictions significantly reduce exploitability given the AV:N attack vector but do not eliminate risk from internal threats or compromised trusted networks. Schedule emergency maintenance window for upgrade as plaintext credential exposure enables complete database compromise.

Share

CVE-2025-15623 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy