EUVD-2025-209512
GHSA-g7j3-235h-9jvv
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:X/V:C/RE:M/U:Red
Lifecycle Timeline
2DescriptionNVD
Insufficiently Protected Credentials vulnerability in Sparx Systems Pty Ltd. Sparx Enterprise Architect. Client reveals plaintext OAuth2 client secretDesktop client decodes the secret and uses the plaintext secret to exchange it into an access and id tokens as part of the OpenID authentication flow.
AnalysisAI
Sparx Enterprise Architect client stores and transmits OAuth2 client secrets in plaintext, allowing local attackers to extract credentials and impersonate the application to obtain unauthorized access tokens. The vulnerability affects at least version 16.1.1627 and potentially earlier versions; local file system access is required to retrieve the exposed secrets, but once obtained, an attacker can perform remote authentication without additional privileges. NCSC-FI reported this vulnerability and it is tracked as EUVD-2025-209512; exploitation likelihood is elevated due to the ease of credential extraction from local storage.
Technical ContextAI
This vulnerability stems from improper credential storage in Sparx Enterprise Architect's OpenID Connect (OIDC) authentication implementation. The application stores OAuth2 client secrets-sensitive cryptographic material used to prove application identity to an authorization server-in plaintext or insufficiently encoded form in local client-side storage. During the OIDC flow, the desktop client decodes these secrets and uses them to exchange authorization codes for access and ID tokens. The root cause is classified as CWE-522 (Insufficiently Protected Credentials), indicating a failure to apply appropriate encryption or secure storage mechanisms. An attacker with local file system access can locate and read these plaintext secrets, then replay them in authentication requests to any OpenID provider that recognizes the client ID, effectively impersonating the legitimate Sparx Enterprise Architect application and obtaining tokens that grant access to protected resources.
RemediationAI
Contact Sparx Systems immediately to confirm patch availability and recommended upgrade path. If a patched version is available, upgrade to the latest release specified by Sparx Systems, paying particular attention to any security-specific update notes in the release history. If no patch is yet available, implement the following compensating controls: (1) Restrict file system access to the Sparx Enterprise Architect configuration and cache directories (typically %APPDATA%\Sparx Systems on Windows) using OS-level access controls, limiting to the specific user account running the application-this prevents lateral credential extraction by other user accounts or malware; (2) disable or restrict OpenID authentication in Sparx Enterprise Architect if an alternative authentication method is available, reducing the exposure window for credential misuse; (3) use endpoint detection and response (EDR) tools to monitor for unauthorized access to configuration directories and for suspicious authentication token requests originating from the local network; (4) revoke or rotate OAuth2 client credentials registered with any OpenID provider that Sparx Enterprise Architect authenticates to, then re-register the application with the vendor-recommended process once a patch is confirmed-this invalidates any extracted credentials currently in attacker hands. The trade-off of restricting file access is reduced usability for system administration tasks, but the security benefit justifies this in sensitive environments. Consult Sparx Systems advisory and NVD entry (https://nvd.nist.gov/vuln/detail/CVE-2025-15622) for the most current guidance.
Share
External POC / Exploit Code
Leaving vuln.today