CVE-2025-15625

| EUVD-2025-209515 CRITICAL
2026-04-17 NCSC-FI GHSA-cpjc-5x9w-83h8
SQLi
9.5
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:I/V:C/RE:M/U:Red
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
P

Lifecycle Timeline

4
Analysis Updated
Apr 17, 2026 - 15:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 17, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 17, 2026 - 11:26 vuln.today
CVSS Changed
Apr 17, 2026 - 09:22 NVD
9.5 (CRITICAL)

DescriptionNVD

Unauthenticated user is able to execute arbitrary SQL commands in Sparx Pro Cloud Server database in certain cases.

AnalysisAI

SQL injection in Sparx Pro Cloud Server 6.0.163 allows remote attackers without authentication to execute arbitrary SQL commands against the backend database, leading to complete system compromise. Despite critical CVSS 9.5 scoring with network attack vector and no authentication required, exploitation complexity is rated HIGH and EPSS indicates only 0.06% probability (19th percentile). SSVC framework classifies technical impact as total but exploitation as none and not automatable, suggesting this requires specialized knowledge or non-default configurations to exploit. No active exploitation confirmed, no public exploit code identified at time of analysis.

Technical ContextAI

This is a classic SQL injection vulnerability (CWE-89) in Sparx Systems' Pro Cloud Server, a cloud-based repository system for enterprise architecture models. SQL injection occurs when user-controllable input is improperly sanitized before being incorporated into SQL queries, allowing attackers to inject malicious SQL syntax that alters query logic. The affected product (CPE: cpe:2.3:a:sparx_systems_pty_ltd.:sparx_pro_cloud_server) is specifically version 6.0.163. The CVSS 4.0 vector indicates network-accessible attack surface (AV:N) requiring no privileges (PR:N) or user interaction (UI:N), but with high attack complexity (AC:H) suggesting exploitation depends on specific race conditions, configurations, or timing. The scope is Present (S:P) indicating limited propagation, but subsequent system impacts (SC:H/SI:H/SA:H) are all High, meaning database compromise leads to confidentiality, integrity, and availability violations across the vulnerable component and potentially connected systems.

RemediationAI

Upgrade Sparx Pro Cloud Server to version 6.1 or later, which addresses this SQL injection vulnerability according to the vendor's product history page (https://sparxsystems.com/products/procloudserver/6.1/history.html). The fix is included in the 6.1 release branch. Until patching is completed, implement database-level compensating controls: configure the Pro Cloud Server database account with minimal necessary privileges using principle of least privilege, removing administrative rights and restricting access to only required tables and stored procedures; enable database query logging and monitoring for anomalous SQL patterns including UNION statements, comment sequences, or time-based blind injection indicators; deploy web application firewall rules to inspect and block HTTP requests containing SQL metacharacters in user-controllable parameters, though this may cause false positives with legitimate model data containing SQL-like syntax; restrict network access to the Pro Cloud Server management interface to trusted IP ranges via firewall rules, reducing the network attack surface. Note that WAF-based blocking trades some false positive risk for defense-in-depth, and database privilege restrictions may impact legitimate administrative functions if overly restrictive.

Share

CVE-2025-15625 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy