CVE-2025-11158

Hitachi Vantara · Pentaho Data Integration & Analytics

Hitachi Vantara Pentaho Data Integration & Analytics fails to restrict Groovy scripts in PRPT reports, enabling remote code execution by authenticated users.

Executive summary

A critical remote code execution vulnerability in Hitachi Vantara Pentaho Data Integration & Analytics allows authenticated users to execute arbitrary scripts.

Vulnerability

The application fails to properly restrict the execution of Groovy scripts within PRPT report files. An authenticated user can leverage this by publishing specially crafted reports to trigger arbitrary code execution on the server.

Business impact

This vulnerability carries a CVSS score of 9.1, reflecting a critical severity level. Successful exploitation grants an attacker the ability to execute code with the privileges of the application, potentially leading to full system takeover, data exfiltration, and significant operational disruption.

Remediation

Immediate Action: Upgrade all instances of Pentaho Data Integration & Analytics to version 10.2.0.6 or the latest available version provided by Hitachi Vantara.

Proactive Monitoring: Audit report publishing logs for suspicious script content and monitor server-side execution logs for unexpected child processes spawned by the application.

Compensating Controls: Implement strict role-based access control (RBAC) to limit which users have the capability to publish or modify PRPT reports until the environment can be updated.

Exploitation status

Public Exploit Available: Not stated

Analyst recommendation

Given the potential for remote code execution, this vulnerability poses a severe threat to the integrity of the data analytics platform. Organizations should prioritize updating to the patched version immediately to neutralize the risk of arbitrary script execution.