Plattform
other
Komponente
sparx-enterprise-architect
Behoben in
16.1.1628
CVE-2025-15621 describes a critical vulnerability in Sparx Enterprise Architect, affecting versions from 16.1.1627 through 17.1.1714. This vulnerability stems from insufficient protection of OAuth2 credentials during OpenID authentication, potentially allowing attackers to gain unauthorized access. A fix is expected from the vendor, and users are advised to monitor for updates. The CVSS severity is pending evaluation.
The insufficient protection of OAuth2 credentials in Sparx Enterprise Architect poses a significant risk. An attacker exploiting this vulnerability could potentially gain unauthorized access to sensitive data and systems within an organization that relies on Sparx Enterprise Architect for modeling and design. This could involve accessing intellectual property, confidential project information, or even manipulating models. The lack of recipient verification means an attacker could craft malicious requests, masquerading as a trusted application, to obtain access tokens and impersonate legitimate users. The blast radius extends to any system or data accessible by users of Sparx Enterprise Architect, potentially impacting multiple departments and stakeholders.
CVE-2025-15621 was published on 2026-04-16. Its exploitation probability is currently pending evaluation. No public Proof-of-Concept (PoC) code has been publicly released at the time of this writing. Monitor security advisories from Sparx Systems and relevant security communities for updates.
Organizations heavily reliant on Sparx Enterprise Architect for software modeling, system design, and business process documentation are at risk. Specifically, deployments with OpenID authentication enabled and those lacking robust access control policies are particularly vulnerable. Any organization storing sensitive intellectual property within Enterprise Architect should prioritize monitoring and mitigation efforts.
disclosure
Exploit-Status
EPSS
0.02% (4% Perzentil)
CISA SSVC
Currently, a direct patch is not available. As a temporary mitigation, organizations should review and restrict access to Sparx Enterprise Architect based on the principle of least privilege. Implement stricter monitoring of OAuth2 authentication attempts, looking for unusual patterns or unexpected recipients. Consider implementing a Web Application Firewall (WAF) to filter potentially malicious OAuth2 requests. Once a patched version of Sparx Enterprise Architect is released (check Sparx Systems’ website for updates), upgrade immediately. After the upgrade, confirm the fix by attempting to trigger the authentication flow with a test user and verifying that the credential verification is now enforced.
Actualice a una versión corregida de Sparx Enterprise Architect. Consulte la página de historial de versiones de Sparx Systems para obtener más detalles sobre las versiones disponibles y las instrucciones de actualización: https://sparxsystems.com/products/ea/17.1/history.html.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-15621 is a vulnerability where Sparx Enterprise Architect doesn't properly validate OAuth2 credentials during OpenID authentication, potentially allowing unauthorized access.
If you are using Sparx Enterprise Architect versions 16.1.1627 through 17.1.1714 and have OpenID authentication enabled, you are potentially affected.
A patch is not yet available. Implement temporary mitigations like stricter access controls and WAF rules, and monitor Sparx Systems' advisories for updates.
There are currently no confirmed reports of active exploitation, but the vulnerability is being investigated.
Please refer to the Sparx Systems website and security advisories for the latest information and updates regarding CVE-2025-15621.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.