Cyber Resilience

CVE-2025-15623

CriticalUpdated

Published: 17 April 2026

Published
17 April 2026
Modified
02 June 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:X/V:C/RE:M/U:Red
EPSS Score 0.0026 17.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-15623 is a critical-severity Exposure of Private Personal Information to an Unauthorized Actor (CWE-359) vulnerability in Sparxsystems Pro Cloud Server. Its CVSS base score is 9.3 (Critical).

Operationally, ranked at the 17.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Exposure of Private Personal Information to an Unauthorized Actor, : Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server. Unauthenticated user can retrieve database password in plaintext in certain…

more

situations

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sparxsystems
pro cloud server
6.0.163

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-359 CWE-497

Preventing nonpublic personal information from public posting reduces unauthorized exposure of private personal data.

addresses: CWE-359 CWE-497

The control detects and protects against mining of private personal information, reducing unauthorized exposure of PII.

addresses: CWE-359 CWE-497

Tracking locations of sensitive data and access users reduces risk of private personal information exposure.

addresses: CWE-359 CWE-497

Explicitly limits use of private personal information (PII) for non-operational purposes, reducing opportunities for its exposure outside production systems.

addresses: CWE-359 CWE-497

Explicit categorization of PII ensures stronger privacy controls are applied and approved before system operation.

addresses: CWE-359 CWE-497

Tainting enables identification of exfiltration of private personal information to unauthorized parties.

addresses: CWE-359

Automated marking identifies private personal information in outputs, tangibly reducing the ability to exploit weaknesses that result in its unauthorized exposure.

addresses: CWE-359

Privacy-specific attributes and their controlled association directly reduce exposure of private personal information through missing or incorrect labeling.

References