{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/sparx-systems/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-42097"},{"id":"CVE-2026-42098"},{"id":"CVE-2026-42096"},{"id":"CVE-2026-42099"},{"id":"CVE-2026-42100"}],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Pro Cloud Server","Enterprise Architect"],"_cs_severities":["critical"],"_cs_tags":["vulnerability","rce","authentication-bypass","sqli"],"_cs_type":"threat","_cs_vendors":["Sparx Systems"],"content_html":"\u003cp\u003eOn May 19, 2026, five vulnerabilities were disclosed affecting Sparx Systems Pro Cloud Server (versions up to 6.1 build 167) and Enterprise Architect (versions up to 17.1). These vulnerabilities include a critical authorization bypass (CVE-2026-42097) in Pro Cloud Server, and a high criticality Use of Client-Side Authentication vulnerability (CVE-2026-42098) in Enterprise Architect. Publicly available Proof-of-Concept (PoC) exploits exist for all five vulnerabilities (CVE-2026-42096, CVE-2026-42097, CVE-2026-42098, CVE-2026-42099, CVE-2026-42100), increasing the likelihood of active exploitation. Successful exploitation could lead to unauthorized data access, code execution, and denial-of-service. Defenders should prioritize patching vulnerable systems immediately.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a crafted POST request to the Sparx Pro Cloud Server, including a model name within the binary blob (CVE-2026-42097).\u003c/li\u003e\n\u003cli\u003eThe server improperly validates the request, failing to authenticate the user, and allowing the attacker to bypass authorization.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the bypass to execute arbitrary SQL queries against the underlying database without proper authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive data stored within the database, potentially reading, modifying, or deleting information.\u003c/li\u003e\n\u003cli\u003eIn a separate attack, an attacker with low privilege access exploits a race condition (CVE-2026-42099) by creating a malicious PHP file within the repository.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a request to execute the malicious PHP file. Due to delayed transmission response, the file can be executed even after deletion.\u003c/li\u003e\n\u003cli\u003eThe malicious PHP code executes arbitrary commands on the server, potentially installing malware or creating backdoors.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves full system compromise, enabling further malicious activities such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities can lead to severe consequences. CVE-2026-42097 allows unauthenticated attackers to execute arbitrary SQL queries, potentially compromising sensitive data. CVE-2026-42098 allows attackers to bypass authentication and impersonate any user, leading to unauthorized modifications. CVE-2026-42099 enables arbitrary PHP code execution. CVE-2026-42100 can cause denial of service. The vulnerabilities collectively impact the confidentiality, integrity, and availability of affected systems. There is no mention of sectors targeted, or specific victim counts, but all users of unpatched Sparx Systems Pro Cloud Server and Enterprise Architect instances are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest patches for Sparx Systems Pro Cloud Server (\u0026lt;= 6.1 build 167) and Enterprise Architect (\u0026lt;= 17.1) to remediate the vulnerabilities detailed in this brief.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests targeting Sparx Pro Cloud Server with model names in the binary blob, indicative of CVE-2026-42097 exploitation.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect Potential CVE-2026-42097 Exploitation Attempt\u0026rdquo; to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor for the creation and execution of unusual PHP files in the Sparx Pro Cloud Server repository directory, potentially indicating CVE-2026-42099 exploitation.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious PHP File Creation in Sparx Pro Cloud Server Repository\u0026rdquo; to identify potentially malicious PHP files being created.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-21T10:09:54Z","date_published":"2026-05-21T10:09:54Z","id":"https://feed.craftedsignal.io/briefs/2026-05-sparx-rce/","summary":"Multiple vulnerabilities, including a critical authentication bypass (CVE-2026-42097), affect Sparx Systems Pro Cloud Server and Enterprise Architect, potentially leading to remote code execution and data compromise; active exploitation is likely given available PoCs.","title":"Actively Exploited Vulnerabilities in Sparx Pro Cloud Server and Enterprise Architect","url":"https://feed.craftedsignal.io/briefs/2026-05-sparx-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Sparx Systems","version":"https://jsonfeed.org/version/1.1"}