EUVD-2025-209514

| CVE-2025-15624 CRITICAL
2026-04-17 NCSC-FI GHSA-9gf7-444h-6v98
Information Disclosure
9.3
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:X/V:C/RE:M/U:Red
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
P

Lifecycle Timeline

4
Analysis Updated
Apr 17, 2026 - 15:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 17, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 17, 2026 - 11:26 vuln.today
CVSS Changed
Apr 17, 2026 - 09:22 NVD
9.3 (CRITICAL)

DescriptionNVD

Plaintext Storage of a Password vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server. In a setup where OpenID is used as the primary method of authentication to authenticate to Sparx EA, Pro Cloud Server creates local passwords to the users and stores them in plaintext.

AnalysisAI

Sparx Pro Cloud Server 6.0.163 stores user passwords in plaintext when OpenID authentication is configured, allowing remote unauthenticated attackers to extract credentials with network access to the backend database or file system. CVSS 9.3 (Critical) reflects network-accessible plaintext credential exposure. EPSS score of 0.05% (15th percentile) indicates low probability of widespread exploitation despite severity. No active exploitation confirmed (not in CISA KEV), but SSVC classifies as automatable with total technical impact. Vendor has released version 6.1 with fix per change history.

Technical ContextAI

CWE-256 (Plaintext Storage of a Password) occurs when authentication systems fail to use cryptographic hashing or encryption for stored credentials. Sparx Pro Cloud Server is an enterprise architecture modeling collaboration platform. When configured with OpenID Connect as the primary authentication mechanism, the affected version (6.0.163) creates local user accounts as a fallback or synchronization mechanism but stores these passwords in plaintext rather than using salted hashes (bcrypt, PBKDF2, Argon2, etc.). The CVSS 4.0 vector indicates network attack vector (AV:N), low complexity (AC:L), no required privileges (PR:N), confirming that any attacker with network access to the storage location (database server, backup files, or configuration directories) can read credentials directly without cryptographic barriers. This affects cpe:2.3:a:sparx_systems_pty_ltd.:sparx_pro_cloud_server specifically version 6.0.163 per EUVD data.

RemediationAI

Upgrade immediately to Sparx Pro Cloud Server version 6.1 or later, which addresses this vulnerability per vendor release history at https://sparxsystems.com/products/procloudserver/6.1/history.html. Post-upgrade, force password resets for all local user accounts created during the vulnerable period, as plaintext credentials may have been logged, backed up, or cached. If immediate patching is not feasible, implement compensating controls: restrict network access to backend database and configuration storage using firewall rules limited to application server IP addresses only (eliminates remote attack vector but does not protect against local threats or compromised app servers); enable database-level encryption at rest with key management separated from application servers (adds cryptographic barrier but keys may be accessible to compromised systems); implement file integrity monitoring on password storage locations with alerting on unauthorized access (detection only, does not prevent exposure); and disable local account creation by enforcing pure federated authentication without local fallback (may break disaster recovery access - document break-glass procedures). Note that compensating controls do not eliminate the plaintext storage vulnerability and should only be temporary measures pending upgrade.

Share

EUVD-2025-209514 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy