CVE-2025-15623
CWE-359Published: April 17, 2026· Updated: Apr 17, 2026
Official Description
Exposure of Private Personal Information to an Unauthorized Actor, : Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server.
Unauthenticated user can retrieve database password in plaintext in certain situations
Risk Analysis
This critical vulnerability in Sparx Pro Cloud Server allows unauthenticated users to retrieve database passwords in plaintext under certain conditions. With a CVSS score of 9.3, this flaw poses a significant risk of unauthorized access to sensitive database information and potential system compromise. The absence of an EPSS score means its exploitation likelihood is not yet predicted, but the critical severity requires urgent attention.
No public exploit is currently known for this vulnerability. The remote attack vector (AV:N) indicates it can be exploited over a network.
Organizations using Sparx Pro Cloud Server should apply vendor patches to prevent the exposure of sensitive information. Implement robust access controls and ensure that database credentials are never stored or transmitted in plaintext.
Technical Analysis
CVE-2025-15623 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.
CVSS v3.1 Vector Breakdown
Exploit & PoC Resources
All References (1)
Quick Facts
Related CVEs (CWE-359)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2025-15623 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts