CVE-2025-11158 is a critical security vulnerability classified under CWE-862 (Missing Authorization) affecting Hitachi Vantara Pentaho Data Integration and Analytics software versions before 10.2.0.6, including 9.3.x and 8.3.x. The vulnerability stems from insufficient authorization checks on Groovy scripts embedded within new PRPT report files created and published by users. Specifically, the software does not restrict the execution of arbitrary Groovy scripts in these reports, allowing an attacker with the ability to publish reports to inject malicious code. This can lead to remote code execution (RCE) on the server hosting the Pentaho platform. The CVSS v3.1 base score is 9.1, reflecting a critical severity with network attack vector, low attack complexity, and requiring high privileges but no user interaction. The scope is changed, indicating that the vulnerability affects components beyond the initially compromised privileges, impacting confidentiality, integrity, and availability of the system. Although no known exploits are currently in the wild, the vulnerability poses a serious threat to organizations relying on Pentaho for data integration and analytics, as successful exploitation could allow attackers to execute arbitrary commands, potentially leading to full system compromise. The lack of a patch link suggests that mitigation may currently rely on upgrading to version 10.2.0.6 or later once available, or implementing strict access controls and monitoring for suspicious report publishing activities.

The impact of CVE-2025-11158 is severe for organizations using affected versions of Hitachi Vantara Pentaho Data Integration and Analytics. Successful exploitation allows attackers with report publishing privileges to execute arbitrary Groovy scripts, resulting in remote code execution on the server. This can lead to full system compromise, including unauthorized data access, data manipulation, disruption of analytics services, and potential lateral movement within the network. Confidentiality is at risk as attackers could access sensitive business intelligence data. Integrity is compromised through unauthorized modification of analytics reports or data processing workflows. Availability can be affected if attackers disrupt or disable analytics services. Given the critical role of Pentaho in enterprise data environments, such an attack could severely impact business operations, decision-making, and compliance with data protection regulations. The requirement for high privileges limits exploitation to insiders or attackers who have already gained elevated access, but the absence of user interaction and low attack complexity increase the risk once such access is obtained.

To mitigate CVE-2025-11158, organizations should prioritize upgrading to Hitachi Vantara Pentaho Data Integration and Analytics version 10.2.0.6 or later once the patch is released. Until then, implement strict access controls to limit report publishing privileges to trusted administrators only. Employ rigorous monitoring and auditing of report creation and publishing activities to detect anomalous or unauthorized Groovy script insertions. Disable or restrict the use of Groovy scripting in reports if feasible, or apply application-level controls to validate and sanitize scripts before execution. Network segmentation and application whitelisting can help contain potential exploitation impact. Additionally, enforce the principle of least privilege across the Pentaho environment to reduce the risk of privilege escalation. Regularly review and update security policies related to analytics platforms and conduct security awareness training for administrators. Finally, maintain up-to-date backups of analytics configurations and data to enable recovery in case of compromise.