CVE-2025-15625

Analyzed Analyzed - Analysis Complete

SQL Injection in Sparx Pro Cloud Server Allows Arbitrary Commands

Publication date: 2026-04-17

Last updated on: 2026-06-02

Assigner: National Cyber Security Centre Finland

Description

Unauthenticated user is able to execute arbitrary SQL commands in Sparx Pro Cloud Server database in certain cases.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-04-17

Last Modified

2026-06-02

Generated

2026-06-16

AI Q&A

2026-04-17

EPSS Evaluated

2026-06-15

NVD

CVE-2025-15625

EUVD

EUVD-2025-209515

Affected Vendors & Products

Vendor	Product	Version / Range
sparxsystems	pro_cloud_server	6.0.163

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-200	The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE-200

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

Impact Analysis

The impact of this vulnerability is severe because it enables attackers without any authentication to run arbitrary SQL commands, potentially leading to unauthorized data access, data modification, or deletion within the Sparx Pro Cloud Server database.

Executive Summary

This vulnerability allows an unauthenticated user to execute arbitrary SQL commands on the Sparx Pro Cloud Server database under certain conditions.

Compliance Impact

This vulnerability allows an unauthenticated user to execute arbitrary SQL commands on the Sparx Pro Cloud Server database. Such unauthorized access and potential data manipulation or exfiltration can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over access to sensitive personal and health information.

Exploitation of this vulnerability could result in unauthorized disclosure, alteration, or destruction of protected data, thereby compromising confidentiality, integrity, and availability requirements mandated by these standards.

Hi! I’m here to help you understand CVE-2025-15625. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2025-15625

SQL Injection in Sparx Pro Cloud Server Allows Arbitrary Commands

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart