CVE-2025-11158 — AI Deep Analysis Summary

🚨 **Essence**: A critical security flaw in Hitachi Vantara Pentaho allows arbitrary Groovy script injection via PRPT reports. 📉 **Consequences**: Leads to **Remote Code Execution (RCE)**.…

🛡️ **Root Cause**: **CWE-862** (Missing Authorization). The system fails to restrict or validate Groovy scripts embedded in newly published PRPT reports.…

🏢 **Vendor**: Hitachi Vantara. 📦 **Product**: Pentaho Data Integration & Analytics. 📅 **Affected Versions**: **< 10.2.0.6**, including **9.3.x** and **8.3.x** series. ✅ **Fixed**: Version 10.2.0.6 and later.

💻 **Capabilities**: Hackers can execute **arbitrary system commands** via Groovy scripts. 🔓 **Privileges**: Runs with the privileges of the Pentaho service account.…

🔐 **Auth Required**: **Yes**. The CVSS vector `PR:H` indicates **High Privileges** are needed. 👤 **User Role**: Likely requires an authenticated user with permission to publish/modify PRPT reports. Not fully anonymous.

🕵️ **Public Exploit**: **No**. The `pocs` field is empty in the provided data. 🌍 **Wild Exploitation**: No evidence of active wild exploitation yet.…

🔍 **Self-Check**: Scan for Pentaho versions **< 10.2.0.6**. 📄 **Feature Check**: Look for PRPT report upload functionality. 🛠️ **Tooling**: Use vulnerability scanners detecting Pentaho version fingerprints.…

🔧 **Official Fix**: **Yes**. Patched in version **10.2.0.6**. 📝 **Reference**: Hitachi Vantara Support Article #39975058295821. 📥 **Action**: Upgrade immediately to the latest stable version.

🚫 **No Patch?**: Isolate the Pentaho server from untrusted networks. 🚫 **Disable**: Restrict permissions to publish/modify PRPT reports. 🛡️ **WAF**: Block requests containing Groovy script syntax in report uploads.…

🔥 **Urgency**: **CRITICAL**. CVSS 9.8 is near-maximum. 🚀 **Priority**: **P1**. Even though auth is required, the impact is total system compromise. 📅 **Timeline**: Patch immediately upon upgrade availability.…