CVE-2025-15623 (GCVE-0-2025-15623)
Vulnerability from cvelistv5 – Published: 2026-04-17 08:37 – Updated: 2026-04-17 12:19
VLAI?
Title
Sparx Pro Cloud Server reveals sensitive information to an unauthenticated user
Summary
Exposure of Private Personal Information to an Unauthorized Actor, : Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server.
Unauthenticated user can retrieve database password in plaintext in certain situations
Severity ?
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Sparx Systems Pty Ltd. | Sparx Pro Cloud Server |
Affected:
6.0.163
|
Credits
Pasi Orovuo, Solita Oy
Henri Hämäläinen, Solita Oy
Samu Ahvenainen, Solita Oy
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-15623",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-17T12:00:21.330537Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T12:19:21.714Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Sparx Pro Cloud Server",
"vendor": "Sparx Systems Pty Ltd.",
"versions": [
{
"status": "affected",
"version": "6.0.163"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pasi Orovuo, Solita Oy"
},
{
"lang": "en",
"type": "finder",
"value": "Henri H\u00e4m\u00e4l\u00e4inen, Solita Oy"
},
{
"lang": "en",
"type": "finder",
"value": "Samu Ahvenainen, Solita Oy"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cspan\u003eExposure of Private Personal Information to an Unauthorized Actor, : Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server.\u003c/span\u003e\u003c/div\u003e\u003cp\u003e\u003cspan\u003eUnauthenticated user can retrieve database password in plaintext in certain situations\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Exposure of Private Personal Information to an Unauthorized Actor, : Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server.\n\nUnauthenticated user can retrieve database password in plaintext in certain situations"
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "PRESENT",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "RED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/S:P/AU:Y/V:C/RE:M/U:Red",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-359",
"description": "CWE-359: Exposure of Private Personal Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-497",
"description": "CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T08:37:27.611Z",
"orgId": "db4dfee8-a97e-4877-bfae-eba6d14a2166",
"shortName": "NCSC-FI"
},
"references": [
{
"url": "https://sparxsystems.com/products/procloudserver/6.1/history.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Sparx Pro Cloud Server reveals sensitive information to an unauthenticated user",
"x_generator": {
"engine": "Vulnogram 1.0.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "db4dfee8-a97e-4877-bfae-eba6d14a2166",
"assignerShortName": "NCSC-FI",
"cveId": "CVE-2025-15623",
"datePublished": "2026-04-17T08:37:27.611Z",
"dateReserved": "2026-04-09T08:02:30.837Z",
"dateUpdated": "2026-04-17T12:19:21.714Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-15623",
"date": "2026-04-17",
"epss": "0.00051",
"percentile": "0.16034"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-15623\",\"sourceIdentifier\":\"db4dfee8-a97e-4877-bfae-eba6d14a2166\",\"published\":\"2026-04-17T09:16:04.593\",\"lastModified\":\"2026-04-17T15:13:15.930\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Exposure of Private Personal Information to an Unauthorized Actor, : Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server.\\n\\nUnauthenticated user can retrieve database password in plaintext in certain situations\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"db4dfee8-a97e-4877-bfae-eba6d14a2166\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:X/V:C/RE:M/U:Red\",\"baseScore\":9.3,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"LOW\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"PRESENT\",\"Automatable\":\"YES\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"CONCENTRATED\",\"vulnerabilityResponseEffort\":\"MODERATE\",\"providerUrgency\":\"RED\"}}]},\"weaknesses\":[{\"source\":\"db4dfee8-a97e-4877-bfae-eba6d14a2166\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-359\"},{\"lang\":\"en\",\"value\":\"CWE-497\"}]}],\"references\":[{\"url\":\"https://sparxsystems.com/products/procloudserver/6.1/history.html\",\"source\":\"db4dfee8-a97e-4877-bfae-eba6d14a2166\"}]}}",
"vulnrichment": {
"containers": "{\"cna\": {\"providerMetadata\": {\"orgId\": \"db4dfee8-a97e-4877-bfae-eba6d14a2166\", \"shortName\": \"NCSC-FI\", \"dateUpdated\": \"2026-04-17T08:37:27.611Z\"}, \"title\": \"Sparx Pro Cloud Server reveals sensitive information to an unauthenticated user\", \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"cweId\": \"CWE-359\", \"description\": \"CWE-359: Exposure of Private Personal Information to an Unauthorized Actor\", \"type\": \"CWE\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"cweId\": \"CWE-497\", \"description\": \"CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere\", \"type\": \"CWE\"}]}], \"affected\": [{\"vendor\": \"Sparx Systems Pty Ltd.\", \"product\": \"Sparx Pro Cloud Server\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.0.163\"}], \"defaultStatus\": \"unknown\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Exposure of Private Personal Information to an Unauthorized Actor, : Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server.\\n\\nUnauthenticated user can retrieve database password in plaintext in certain situations\", \"supportingMedia\": [{\"type\": \"text/html\", \"base64\": false, \"value\": \"\u003cdiv\u003e\u003cspan\u003eExposure of Private Personal Information to an Unauthorized Actor, : Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server.\u003c/span\u003e\u003c/div\u003e\u003cp\u003e\u003cspan\u003eUnauthenticated user can retrieve database password in plaintext in certain situations\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cbr\u003e\u003c/p\u003e\"}]}], \"references\": [{\"url\": \"https://sparxsystems.com/products/procloudserver/6.1/history.html\"}], \"metrics\": [{\"format\": \"CVSS\", \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}], \"cvssV4_0\": {\"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"HIGH\", \"subIntegrityImpact\": \"LOW\", \"vulnAvailabilityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"exploitMaturity\": \"NOT_DEFINED\", \"Safety\": \"PRESENT\", \"Automatable\": \"YES\", \"Recovery\": \"NOT_DEFINED\", \"valueDensity\": \"CONCENTRATED\", \"vulnerabilityResponseEffort\": \"MODERATE\", \"providerUrgency\": \"RED\", \"version\": \"4.0\", \"baseSeverity\": \"CRITICAL\", \"baseScore\": 9.3, \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/S:P/AU:Y/V:C/RE:M/U:Red\"}}], \"credits\": [{\"lang\": \"en\", \"value\": \"Pasi Orovuo, Solita Oy\", \"type\": \"finder\"}, {\"lang\": \"en\", \"value\": \"Henri H\\u00e4m\\u00e4l\\u00e4inen, Solita Oy\", \"type\": \"finder\"}, {\"lang\": \"en\", \"value\": \"Samu Ahvenainen, Solita Oy\", \"type\": \"finder\"}], \"source\": {\"discovery\": \"EXTERNAL\"}, \"x_generator\": {\"engine\": \"Vulnogram 1.0.0\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-15623\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-17T12:00:21.330537Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-17T12:19:13.648Z\"}}]}",
"cveMetadata": "{\"cveId\": \"CVE-2025-15623\", \"assignerOrgId\": \"db4dfee8-a97e-4877-bfae-eba6d14a2166\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"NCSC-FI\", \"dateReserved\": \"2026-04-09T08:02:30.837Z\", \"datePublished\": \"2026-04-17T08:37:27.611Z\", \"dateUpdated\": \"2026-04-17T12:19:21.714Z\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…