If you answered yes to all three, your organization is in the high-risk group. The vulnerabilities described in this advisory are actively exploitable against your current setup.

Executive Summary

If your organization uses Sparx Enterprise Architect and your team accesses it over the internet, you may be exposed to an immediate and critical threat - regardless of how your security is configured.

The vulnerabilities described in this advisory allow an external attacker with no credentials, no insider knowledge, and no specialized skills to silently read or destroy your entire architecture repository, steal employee credentials, and execute arbitrary code on your server.

Your intellectual property, system designs, and business roadmaps could be exfiltrated in minutes. This is not a theoretical risk, its working exploit chain. If you are running an internet-accessible Pro Cloud Server today, assume you are at risk.

Critical security vulnerabilities have been identified and responsibly disclosed by the Efigo Research Team in two widely-used enterprise software products from Sparx Systems: Enterprise Architect (EA) and Pro Cloud Server (PCS). These vulnerabilities expose organizations to severe risks including unauthenticated remote code execution, arbitrary SQL execution, authentication bypass, and denial of service — all exploitable from the public internet without requiring any user credentials.

Five CVEs (CVE-2026-42096 through CVE-2026-42100) have been assigned. When chained, these vulnerabilities yield a perfect CVSSv4 score of 10.0. Any organization deploying PCS with WebEA in a network-accessible configuration faces immediate risk of full system compromise and data exfiltration.

Immediate action required: Isolate PCS and WebEA from public-facing networks now. Apply vendor patches as soon as they become available and follow the remediation steps section.

Affected Products & Scope

Vulnerability Summary

Detailed Vulnerability Analysis

CVE-2026-42096 — Broken Access Control / Arbitrary SQL Execution (CVSSv4 8.7 High)

Root cause: PCS acts as a transparent database proxy for the thick EA client. All SQL queries are submitted directly by the client over HTTP with only a symmetric encryption layer — the key is embedded in the publicly downloadable EA trial binary, providing no meaningful protection. An attacker can extract the key and forge arbitrary SQL queries against any configured database.

Business impact:

• Complete read access to all repository content, including confidential architectural models, design artefacts, and user credentials (password hashes).
• Unrestricted write access — an attacker can corrupt, delete, or inject malicious content into the entire model database.
• Harvesting of credential hashes from t_secuser, enabling offline password cracking and lateral movement.
• No per-user authorization: even low-privilege accounts (or no account at all, when combined with CVE-2026-42097) can execute DBA-level SQL.

CVE-2026-42097 — Authentication Bypass in Pro Cloud Server (CVSSv4 9.3 Critical)

Root cause: PCS determines which authentication path to apply based on the model name in the URL query parameter. However, the SQL execution logic reads the model name from the binary POST body instead. An attacker can omit the URL query parameter (bypassing the authentication check) while still supplying the model name in the POST body, causing PCS to execute the query with no authentication challenge.

Business impact:

• No credentials are required to exploit the SQL injection primitives described in CVE-2026-42096.
• Any internet-accessible PCS instance is vulnerable regardless of how authentication is configured.
• Eliminates the only intended access control layer between the attacker and the underlying database.

CVE-2026-42098 — Authorization Bypass in Enterprise Architect (CVSSv4 8.7 High)

Root cause: The client-side EA binary performs authorization checks locally rather than enforcing them server-side. An attacker can patch or debug the EA binary to bypass role checks and log in with administrator privileges, or impersonate any user. Sparx's own documentation acknowledges the security model is "designed to facilitate collaboration, not as a barrier to incursion," yet the product is marketed with RBAC and audit-trail guarantees.

Business impact:

• Attackers with network access to PCS can impersonate administrators and make unrestricted repository changes.
• Password theft and account takeover for all model users.
• Vendor-advertised RBAC and audit-trail assurances are not technically enforced, creating compliance and contractual risk for organizations relying on these controls.

CVE-2026-42099 — Remote Code Execution via WebEA Race Condition (CVSSv4 7.7 High)

Root cause: The WebEA PHP component writes attacker-controlled file content and filenames directly to the web-accessible directory as a temporary download step. Because the filename is not sanitized and the file is not deleted before being served, an attacker can inject a malicious .php file and exploit the TOCTOU window to execute it via a parallel HTTP request before deletion occurs.

Business impact:

• Full remote code execution in the web server process context — the highest-severity outcome for any web application vulnerability.
• Enables post-exploitation: credential harvesting, persistent access, pivot to internal network, ransomware deployment.
• Chained with CVE-2026-42096 and CVE-2026-42097, exploitable end-to-end by a zero-credential external attacker.
• Web server compromise may expose PCS configuration files, database connection strings, and SSL certificates.

CVE-2026-42100 — Denial of Service in PCS Endpoint (CVSSv4 7.1 High)

Root cause: Sending a malformed SQL query containing an unterminated escape sequence (an opening { brace without a closing }) causes the PCS process to crash with an unrecoverable thread error. The lack of input boundary validation suggests potential buffer overflow conditions in the same parsing logic, which could be further developed into a code execution primitive.

Business impact:

• Any unauthenticated attacker can crash the PCS service, causing complete outage for all EA clients relying on that server.
• Availability impacts translate directly to project delays for teams using PCS for collaborative architecture work.
• Potential escalation to remote code execution if the underlying memory corruption is fully characterised.

Exploit Attack Chain — Zero-Credential External Attacker

The following end-to-end exploitation path was demonstrated by the Efigo Research Team using proof-of-concept tooling. It requires no prior credentials and is executable entirely from the internet against a publicly accessible PCS + WebEA deployment.

1. Authentication bypass (CVE-2026-42097): Attacker omits the URL model parameter, bypassing all server-side authentication checks.
2. SQL injection (CVE-2026-42096): Using the encryption key extracted from the free trial binary, attacker crafts SQL INSERT statements to place a malicious PHP file into the model repository.
3. Remote code execution (CVE-2026-42099): Attacker triggers the WebEA artifact download endpoint, exploiting the race condition to execute the injected PHP payload on the server.
4. Post-exploitation: With OS-level code execution, attacker exfiltrates data, establishes persistence, accesses database credentials, or pivots to internal infrastructure.

The entire chain yields a chained CVSSv4 score for Maximum Severity. No user interaction, authentication, or special network position is required.

Business Risk Assessment

Recommended Actions

Immediate — within 24 hours

• Install the latest vendor patches from Sparx Systems addressing these CVEs as soon as they are available.
• Isolate PCS and WebEA from public internet access — restrict to trusted internal networks or VPN only.
• Audit firewall and network rules to confirm no external exposure of PCS HTTP/HTTPS ports.
• Review logs for anomalous SQL patterns and unexpected POST requests to /SparxCloudLink.sseap without a model query parameter.
• Notify your security operations team and initiate incident triage.

Short-term — within 1–2 weeks

• Verify all PCS and EA installations are upgraded to the patched versions issued by Sparx Systems; monitor the vendor release notes and Sparx Systems security advisories on an ongoing basis.
• Enforce “Require a secure and authenticated connection” in PCS configuration for all deployments.
• If WebEA is not required, disable it. If required, place it behind an authenticated reverse proxy.
• Enable and review PCS audit logging for signs of unauthorized SQL execution or model tampering.

Medium-term — 1–3 months

• Re-evaluate the trust model for EA/PCS: treat built-in security as a collaboration aid only, not a security barrier.
• Implement network-layer controls (WAF, strict allowlisting) as a compensating control until vendor-provided API-level authorization is available.

References

This advisory was prepared based on security research conducted by the Efigo Research Team and is provided for informational purposes to assist organizations in assessing their exposure. Organizations should verify applicability to their specific environment and consult qualified security professionals.