Executive Summary
A critical missing authorization vulnerability (CVE-2025-11158) has been disclosed in Hitachi Vantara Pentaho Data Integration & Analytics, a widely used enterprise analytics and ETL platform. The flaw allows authenticated users — without elevated system permissions — to embed arbitrary Groovy scripts inside PRPT report files published to the server, resulting in remote code execution (RCE) on the host.
CVSS Score: 9.1 (Critical) | CWE: CWE-862 (Missing Authorization)
The vulnerability affects all versions before 10.2.0.6, including the 9.3.x and 8.3.x branches. Hitachi Vantara has released a patch in version 10.2.0.6; organizations running unpatched instances — particularly those with internal or partner user access — should treat this as an urgent remediation item.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2025-11158 |
| CVSS Score | 9.1 (Critical) |
| CWE | CWE-862 — Missing Authorization |
| Type | Remote Code Execution via Unrestricted Script Execution |
| Attack Vector | Network |
| Privileges Required | Low (authenticated user account) |
| User Interaction | None |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
| Patch Available | Yes — version 10.2.0.6+ |
Affected Versions
| Product | Affected Versions | Fixed Version |
|---|---|---|
| Pentaho Data Integration & Analytics | < 10.2.0.6 | 10.2.0.6 |
| Pentaho Data Integration & Analytics | 9.3.x (all) | Apply vendor patch |
| Pentaho Data Integration & Analytics | 8.3.x (all) | Apply vendor patch |
Technical Analysis
Root Cause
Pentaho PRPT (Pentaho Report Template) files support embedded Groovy scripts as a legitimate feature for dynamic report generation. The vulnerability stems from a failure to apply authorization checks when a user publishes a new PRPT report that contains Groovy code.
The Pentaho server does not validate whether the user has the authority to execute server-side scripts before processing embedded Groovy blocks in the uploaded report. When the report is subsequently rendered or triggered, the Groovy code executes with the privileges of the Pentaho server process.
Attack Flow
1. Attacker authenticates to Pentaho with any valid user account
2. Attacker crafts a PRPT report file containing a malicious Groovy script
(e.g., reverse shell, credential dumper, persistence mechanism)
3. Attacker publishes the report to the Pentaho repository via the BI Server
4. The server accepts the report without auditing or restricting Groovy content
5. Report is rendered/executed — Groovy script fires on the server
6. Attacker achieves code execution under the Pentaho service account
7. Lateral movement to connected databases, data warehouses, and ETL pipelinesWhy This Is Dangerous
Pentaho is an enterprise-grade analytics and ETL platform commonly integrated with:
- Corporate data warehouses (Snowflake, Redshift, BigQuery, Oracle)
- Operational databases holding PII and financial records
- CI/CD pipelines and data pipelines
- LDAP/Active Directory for authentication
A compromised Pentaho server can expose the entire data fabric of an enterprise.
Impact Assessment
| Impact Area | Description |
|---|---|
| Remote Code Execution | Full server-side code execution under the Pentaho service account |
| Data Exfiltration | Access to all connected data sources — warehouses, databases, file shares |
| Credential Theft | Pentaho stores JDBC credentials and LDAP binds; all are at risk |
| Lateral Movement | Pivot to connected databases, AD environments, and cloud infrastructure |
| Persistence | Install backdoors, modify scheduled reports to re-execute payload |
| Supply Chain Risk | Compromise of ETL pipelines can corrupt downstream data and reports |
Immediate Remediation
Step 1: Upgrade to Version 10.2.0.6
Apply the vendor patch immediately. Obtain the update from the Hitachi Vantara support portal.
# Verify installed version before patching
cat /opt/pentaho/server/biserver-ee/tomcat/webapps/pentaho/META-INF/MANIFEST.MF | grep Implementation-Version
# After upgrade, confirm version
cat /opt/pentaho/server/biserver-ee/tomcat/webapps/pentaho/META-INF/MANIFEST.MF | grep Implementation-Version
# Expected: 10.2.0.6 or higherStep 2: Restrict Report Publishing Permissions
If an immediate upgrade is not possible, restrict which roles can publish PRPT reports:
- Navigate to Pentaho User Console > Administration > Roles
- Identify roles with "Publish Content" or "Create Content" permissions
- Remove this permission from any role not explicitly requiring it
- Only trusted administrators should retain publishing rights
Step 3: Audit Published Reports for Groovy Payloads
# Search for Groovy script blocks in all PRPT files in the repository
find /opt/pentaho/server/pentaho-solutions/ -name "*.prpt" -exec grep -l "groovy" {} \;
# Inspect suspicious reports
unzip -p suspicious_report.prpt content.xml | grep -i "groovy\|exec\|runtime\|process"Step 4: Monitor for Active Exploitation
# Review Pentaho application logs for unusual report executions
grep -i "groovy\|script\|exec\|Runtime" /opt/pentaho/server/biserver-ee/tomcat/logs/catalina.out | tail -200
# Check for unusual outbound network connections from the Pentaho host
ss -tnp | grep -E "java|pentaho"
netstat -tnp 2>/dev/null | grep ESTABLISHED | grep javaDetection Indicators
| Indicator | Description |
|---|---|
PRPT files containing <groovy> or <script> blocks | Suspicious report file content |
| Unexpected outbound TCP connections from Pentaho host | Potential reverse shell or C2 |
| New processes spawned by the Pentaho Java process | Code execution via Runtime.exec() |
| Unusual database queries from Pentaho service account | Post-exploitation data access |
| New scheduled jobs or modified report schedules | Persistence mechanism |
Post-Remediation Checklist
- Upgrade all Pentaho instances to 10.2.0.6 or later
- Audit all published PRPT reports for embedded Groovy scripts
- Review and restrict "Publish Content" permissions to trusted roles only
- Rotate all credentials stored in Pentaho — JDBC, LDAP, API keys
- Review service account permissions — apply least privilege to the Pentaho OS user
- Enable enhanced logging for report publication and execution events
- Implement network segmentation — Pentaho servers should not have unrestricted outbound internet access
- Notify data owners if a compromise is suspected — connected data sources may be affected