CVE-2025-15625
published 2026-04-17CVE-2025-15625: Unauthenticated user is able to execute arbitrary SQL commands in Sparx Pro Cloud Server database in certain cases.
PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.42%
33.7th percentile
Unauthenticated user is able to execute arbitrary SQL commands in Sparx Pro Cloud Server database in certain cases.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sparx_systems_pty_ltd | sparx_pro_cloud_server | — | — |
| sparxsystems | pro_cloud_server | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.5CRITICALCVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:I/V:C/RE:M/U:Red
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Sparx Systems Sparx Pro Cloud Server 6.0.163 sql injection
vuldb·2026-04-17·CVSS 9.5
CVE-2025-15625 [CRITICAL] Sparx Systems Sparx Pro Cloud Server 6.0.163 sql injection
A vulnerability was found in Sparx Systems Sparx Pro Cloud Server 6.0.163. It has been declared as critical. The affected element is an unknown function. The manipulation results in sql injection.
This vulnerability is identified as CVE-2025-15625. The attack can be executed remotely. There is not any exploit available.
GHSA
GHSA-cpjc-5x9w-83h8: Unauthenticated user is able to execute arbitrary SQL commands in Sparx Pro Cloud Server database in certain cases
ghsa_unreviewed·2026-04-17
CVE-2025-15625 [CRITICAL] CWE-89 GHSA-cpjc-5x9w-83h8: Unauthenticated user is able to execute arbitrary SQL commands in Sparx Pro Cloud Server database in certain cases
Unauthenticated user is able to execute arbitrary SQL commands in Sparx Pro Cloud Server database in certain cases.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-17
Published