Description
Plaintext Storage of a Password vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server. 
In a setup where OpenID is used as the primary method of authentication to authenticate to Sparx EA, Pro Cloud Server creates local passwords to the users and stores them in plaintext.
Published: 2026-04-17
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Plaintext credential exposure
Action: Immediate patch
AI Analysis

Impact

Sparx Pro Cloud Server stores user passwords in plaintext even when OpenID is used as the primary authentication method. This flaw allows a threat actor who can read the server's local storage or database to directly read user credentials, compromising confidentiality and potentially permitting unauthorized access to the system or other integrated services.

Affected Systems

The vulnerability affects Sparx Systems Pty Ltd.'s Sparx Pro Cloud Server. No specific version range is listed, making all installations that rely on OpenID as the authentication method potentially vulnerable.

Risk and Exploitability

The flaw receives a CVSS base score of 9.3, indicating critical severity. The EPSS score is not available, and the vulnerability is not yet identified in CISA's KEV catalogue. Attackers likely need local file or database read access to the server to exploit the flaw. Once accessed, the plaintext passwords can be used to impersonate users, escalating privileges and compromising integrated services that depend on the same credentials.

Generated by OpenCVE AI on April 17, 2026 at 10:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Sparx Pro Cloud Server update that encrypts stored passwords or removes local password creation.
  • Configure the system to disable local password storage when OpenID is the primary authentication method, ensuring that only OpenID credentials are used for access.
  • Secure server file system permissions so that only privileged administrator accounts can read password files, and implement logging to detect any unauthorized access attempts.

Generated by OpenCVE AI on April 17, 2026 at 10:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Sparxsystems
Sparxsystems sparx Pro Cloud Server
Vendors & Products Sparxsystems
Sparxsystems sparx Pro Cloud Server

Fri, 17 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Description Plaintext Storage of a Password vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server.  In a setup where OpenID is used as the primary method of authentication to authenticate to Sparx EA, Pro Cloud Server creates local passwords to the users and stores them in plaintext.
Title Plaintext Storage of a Password in Sparx Pro Cloud Server.
Weaknesses CWE-256
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/S:P/AU:Y/V:C/RE:M/U:Red'}

Subscriptions

Sparxsystems Sparx Pro Cloud Server
cve-icon MITRE

Status: PUBLISHED

Assigner: NCSC-FI

Published:

Updated: 2026-04-17T11:58:38.118Z

Reserved: 2026-04-09T08:02:32.647Z

Link: CVE-2025-15624

cve-icon Vulnrichment

Updated: 2026-04-17T11:58:30.673Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-17T09:16:04.723

Modified: 2026-04-17T15:13:15.930

Link: CVE-2025-15624

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:35:24Z

Weaknesses