{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15625", "assignerOrgId": "db4dfee8-a97e-4877-bfae-eba6d14a2166", "state": "PUBLISHED", "assignerShortName": "NCSC-FI", "dateReserved": "2026-04-09T08:02:35.360Z", "datePublished": "2026-04-17T08:38:59.972Z", "dateUpdated": "2026-04-17T11:46:37.537Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "db4dfee8-a97e-4877-bfae-eba6d14a2166", "shortName": "NCSC-FI", "dateUpdated": "2026-04-17T08:38:59.972Z"}, "title": "Unauthenticated execution of arbitrary SQL queries in Sparx Pro Cloud Server", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "affected": [{"vendor": "Sparx Systems Pty Ltd.", "product": "Sparx Pro Cloud Server", "versions": [{"status": "affected", "version": "6.0.163"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "Unauthenticated user is able to\u00a0execute arbitrary SQL commands in Sparx Pro Cloud Server database in certain cases.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p><span>Unauthenticated user is able to&nbsp;</span>execute arbitrary SQL commands in Sparx Pro Cloud Server database in certain cases.</p>"}]}], "references": [{"url": "https://sparxsystems.com/products/procloudserver/6.1/history.html"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "Safety": "PRESENT", "Automatable": "YES", "Recovery": "IRRECOVERABLE", "valueDensity": "CONCENTRATED", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "RED", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 9.5, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/AU:Y/R:I/V:C/RE:M/U:Red"}}], "credits": [{"lang": "en", "value": "Pasi Orovuo, Solita Oy", "type": "finder"}, {"lang": "en", "value": "Henri H\u00e4m\u00e4l\u00e4inen, Solita Oy", "type": "finder"}, {"lang": "en", "value": "Samu Ahvenainen, Solita Oy", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-17T11:46:00.424270Z", "id": "CVE-2025-15625", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-17T11:46:37.537Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-15625", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-17T11:46:00.424270Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-17T11:46:33.692Z"}}], "cna": {"title": "Unauthenticated execution of arbitrary SQL queries in Sparx Pro Cloud Server", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Pasi Orovuo, Solita Oy"}, {"lang": "en", "type": "finder", "value": "Henri H\u00e4m\u00e4l\u00e4inen, Solita Oy"}, {"lang": "en", "type": "finder", "value": "Samu Ahvenainen, Solita Oy"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "PRESENT", "version": "4.0", "Recovery": "IRRECOVERABLE", "baseScore": 9.5, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/AU:Y/R:I/V:C/RE:M/U:Red", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "RED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "MODERATE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Sparx Systems Pty Ltd.", "product": "Sparx Pro Cloud Server", "versions": [{"status": "affected", "version": "6.0.163"}], "defaultStatus": "unknown"}], "references": [{"url": "https://sparxsystems.com/products/procloudserver/6.1/history.html"}], "x_generator": {"engine": "Vulnogram 1.0.0"}, "descriptions": [{"lang": "en", "value": "Unauthenticated user is able to\u00a0execute arbitrary SQL commands in Sparx Pro Cloud Server database in certain cases.", "supportingMedia": [{"type": "text/html", "value": "<p><span>Unauthenticated user is able to&nbsp;</span>execute arbitrary SQL commands in Sparx Pro Cloud Server database in certain cases.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "db4dfee8-a97e-4877-bfae-eba6d14a2166", "shortName": "NCSC-FI", "dateUpdated": "2026-04-17T08:38:59.972Z"}}}, "cveMetadata": {"cveId": "CVE-2025-15625", "state": "PUBLISHED", "dateUpdated": "2026-04-17T11:46:37.537Z", "dateReserved": "2026-04-09T08:02:35.360Z", "assignerOrgId": "db4dfee8-a97e-4877-bfae-eba6d14a2166", "datePublished": "2026-04-17T08:38:59.972Z", "assignerShortName": "NCSC-FI"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Unauthenticated user is able to\u00a0execute arbitrary SQL commands in Sparx Pro Cloud Server database in certain cases."}], "id": "CVE-2025-15625", "lastModified": "2026-04-17T09:16:04.850", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "YES", "Recovery": "IRRECOVERABLE", "Safety": "PRESENT", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.5, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "RED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:I/V:C/RE:M/U:Red", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "MODERATE"}, "source": "db4dfee8-a97e-4877-bfae-eba6d14a2166", "type": "Secondary"}]}, "published": "2026-04-17T09:16:04.850", "references": [{"source": "db4dfee8-a97e-4877-bfae-eba6d14a2166", "url": "https://sparxsystems.com/products/procloudserver/6.1/history.html"}], "sourceIdentifier": "db4dfee8-a97e-4877-bfae-eba6d14a2166", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}, {"lang": "en", "value": "CWE-200"}], "source": "db4dfee8-a97e-4877-bfae-eba6d14a2166", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T10:59:40.881796+00:00", "value": {"mitigation_remediation": ["Apply the latest vendor patch or upgrade to a corrected version of Sparx Pro Cloud Server.", "If a patch is not yet available, isolate the server behind a strict firewall and deny all inbound traffic except for the minimum ports required for legitimate operations.", "Configure the database server to reject arbitrary queries that are not part of the official API, for example by using a whitelist of permitted commands or by employing parameterized queries and escaping user input."], "summary": {"action": "Immediate Patch", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "Sparx Systems Pty Ltd. offers the Sparx Pro Cloud Server as the affected product. Specific version details are not disclosed in the available data, so all deployments of this server should be reviewed for risk.", "description_and_impact": "Unverified users can submit crafted requests that cause the Sparx Pro Cloud Server to execute arbitrary SQL statements against its database. The flaw allows attackers to read, modify, or delete data, potentially compromising confidentiality, integrity, and availability. The weakness is a classic SQL injection (CWE-89) that also leaks sensitive information (CWE-200).", "risk_and_exploitability": "With a CVSS score of 9.5 the vulnerability is considered Critical. The EPSS score is not available, but the lack of a KEV listing does not diminish the severity; an unauthenticated attacker can reach the vulnerable input surfaces over the network, so exploitation is likely if no mitigations exist. The attack vector is inferred to be remote, based on the description of unauthenticated access. Due to the high score, the risk to any exposed instance warrants rapid response."}}}}, "created": "2026-04-17T11:00:13.712624+00:00", "updated": "2026-04-17T11:00:13.712645+00:00", "vendors": []}