CVE-2025-15624: CWE-256: Plaintext Storage of a Password in Sparx Systems Pty Ltd. Sparx Pro Cloud Server
CVE-2025-15624 is a critical vulnerability in Sparx Systems Pty Ltd. 's Sparx Pro Cloud Server version 6. 0. 163 where local passwords created for users during OpenID authentication are stored in plaintext. This improper storage of passwords (CWE-256) exposes sensitive credentials to potential unauthorized access. The vulnerability has a high CVSS 4. 0 score of 9. 3, indicating significant risk if exploited. No official patch or remediation guidance is currently available from the vendor. There are no known exploits in the wild at this time.
AI Analysis
Technical Summary
This vulnerability involves the plaintext storage of user passwords in Sparx Pro Cloud Server when OpenID is used as the primary authentication method. The server generates local passwords for users and stores them without encryption or hashing, violating secure credential storage best practices (CWE-256). This exposure could allow attackers who gain access to the storage medium to retrieve user passwords directly. The vulnerability affects version 6.0.163 of the product. No vendor advisory or patch information is currently provided, and the product is not a cloud service, so remediation depends on vendor updates.
Potential Impact
The impact of this vulnerability is the potential disclosure of user passwords in plaintext, which could lead to unauthorized access to user accounts if an attacker obtains the stored password data. Given the critical CVSS score of 9.3, the vulnerability poses a severe risk to confidentiality and potentially integrity of user authentication. However, no known exploits have been reported in the wild so far.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, organizations should consider limiting access to the storage location of these passwords and monitor for unauthorized access. Avoid relying solely on OpenID authentication without additional security controls. Follow updates from Sparx Systems Pty Ltd. for any forthcoming patches or official mitigations.
CVE-2025-15624: CWE-256: Plaintext Storage of a Password in Sparx Systems Pty Ltd. Sparx Pro Cloud Server
Description
CVE-2025-15624 is a critical vulnerability in Sparx Systems Pty Ltd. 's Sparx Pro Cloud Server version 6. 0. 163 where local passwords created for users during OpenID authentication are stored in plaintext. This improper storage of passwords (CWE-256) exposes sensitive credentials to potential unauthorized access. The vulnerability has a high CVSS 4. 0 score of 9. 3, indicating significant risk if exploited. No official patch or remediation guidance is currently available from the vendor. There are no known exploits in the wild at this time.
CVSS v4.0
Score 9.3critical
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability involves the plaintext storage of user passwords in Sparx Pro Cloud Server when OpenID is used as the primary authentication method. The server generates local passwords for users and stores them without encryption or hashing, violating secure credential storage best practices (CWE-256). This exposure could allow attackers who gain access to the storage medium to retrieve user passwords directly. The vulnerability affects version 6.0.163 of the product. No vendor advisory or patch information is currently provided, and the product is not a cloud service, so remediation depends on vendor updates.
Potential Impact
The impact of this vulnerability is the potential disclosure of user passwords in plaintext, which could lead to unauthorized access to user accounts if an attacker obtains the stored password data. Given the critical CVSS score of 9.3, the vulnerability poses a severe risk to confidentiality and potentially integrity of user authentication. However, no known exploits have been reported in the wild so far.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, organizations should consider limiting access to the storage location of these passwords and monitor for unauthorized access. Avoid relying solely on OpenID authentication without additional security controls. Follow updates from Sparx Systems Pty Ltd. for any forthcoming patches or official mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- NCSC-FI
- Date Reserved
- 2026-04-09T08:02:32.647Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e1f70182d89c981fb0d48c
Added to database: 4/17/2026, 9:01:53 AM
Last enriched: 4/24/2026, 4:21:44 PM
Last updated: 6/1/2026, 5:46:14 AM
Views: 71
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.