Platform
other
Component
sparx-enterprise-architect
Fixed in
16.1.1628
CVE-2025-15622 describes a Credential Leak vulnerability affecting Sparx Enterprise Architect versions 16.1.1627 through 17.1.1714. This vulnerability allows the desktop client to inadvertently expose plaintext OAuth2 client secrets, potentially leading to unauthorized access and data compromise. A fix is expected from Sparx Systems, and users are advised to monitor for updates.
The core of this vulnerability lies in the Sparx Enterprise Architect desktop client's handling of OAuth2 authentication. Specifically, the client decodes and stores the OAuth2 client secret in plaintext. An attacker who gains access to this plaintext secret can use it to exchange for access and ID tokens, effectively impersonating legitimate users and gaining unauthorized access to resources protected by the OAuth2 flow. This could include access to sensitive project data, collaboration features, and potentially integration with other systems relying on OAuth2 authentication. The potential blast radius depends on the sensitivity of the data accessible through Enterprise Architect and the extent of OAuth2 integration.
As of the publication date (2026-04-17), there is no public proof-of-concept (POC) available for CVE-2025-15622. The vulnerability is not currently listed on the CISA KEV catalog. The potential for exploitation is considered medium, given the sensitivity of the exposed credential and the relative ease of using a compromised OAuth2 client secret to gain access.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
Currently, the primary mitigation strategy is to await and apply a patch from Sparx Systems. Until a patch is available, consider restricting access to the desktop client to trusted users only. Implement multi-factor authentication (MFA) wherever possible to add an extra layer of security, even if the client secret is compromised. Monitor system logs for any unusual authentication activity or attempts to access OAuth2 endpoints. While a WAF or proxy cannot directly prevent this client-side leak, they can help detect and block subsequent malicious activity resulting from a compromised client secret.
Update to the latest available version of Sparx Enterprise Architect to mitigate the vulnerability. The update corrects the way OAuth2 secrets are handled, preventing the key from being exposed in plaintext. Refer to the product version history page for more details on available updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-15622 is a vulnerability where Sparx Enterprise Architect's desktop client reveals plaintext OAuth2 client secrets, allowing unauthorized access. Severity is pending evaluation.
If you are using Sparx Enterprise Architect versions 16.1.1627–17.1.1714, you are potentially affected by this vulnerability. Monitor for updates from Sparx Systems.
The recommended fix is to upgrade to a patched version of Sparx Enterprise Architect as soon as it becomes available from Sparx Systems. Until then, implement mitigation strategies like restricting client access.
As of the publication date, there is no confirmed active exploitation of CVE-2025-15622, but the potential for exploitation exists.
Please refer to the Sparx Systems website and security advisories for the official advisory regarding CVE-2025-15622.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.