CVE-2025-11158 is a critical security vulnerability classified under CWE-862 (Missing Authorization) affecting Hitachi Vantara Pentaho Data Integration and Analytics software versions before 10.2.0.6, including 9.3.x and 8.3.x. The vulnerability stems from insufficient authorization checks on Groovy scripts embedded within new PRPT report files created and published by users. Specifically, the software does not properly restrict the execution of Groovy scripts in these reports, allowing an attacker with appropriate privileges to insert arbitrary Groovy code. This code can execute remotely on the server hosting the Pentaho platform, resulting in remote code execution (RCE). The vulnerability has a CVSS 3.1 base score of 9.1, reflecting its critical severity, with an attack vector over the network (AV:N), low attack complexity (AC:L), requiring high privileges (PR:H), no user interaction (UI:N), and impacting confidentiality, integrity, and availability (C:H/I:H/A:H). The scope is changed (S:C), indicating that the vulnerability affects components beyond the initially vulnerable component. While no public exploits have been reported yet, the flaw’s nature makes it a high-risk target for attackers aiming to compromise data analytics environments. Pentaho is widely used in enterprise data integration and analytics, making this vulnerability significant for organizations relying on this platform for business intelligence and data processing.

The impact of CVE-2025-11158 is severe for organizations using affected versions of Pentaho Data Integration and Analytics. Successful exploitation allows attackers to execute arbitrary Groovy scripts remotely, potentially gaining full control over the affected server. This can lead to unauthorized access to sensitive data, manipulation or deletion of critical analytics workflows, disruption of business intelligence operations, and lateral movement within the network. Given Pentaho’s role in processing and analyzing enterprise data, a compromise could result in data breaches, loss of data integrity, and operational downtime. The requirement for high privileges limits exploitation to insiders or attackers who have already compromised user credentials with elevated rights, but the absence of user interaction and the network attack vector make it easier for such attackers to exploit the vulnerability remotely. Organizations in sectors such as finance, healthcare, manufacturing, and government, which rely heavily on data analytics platforms, face heightened risks of data exposure and operational disruption.

To mitigate CVE-2025-11158, organizations should immediately upgrade Pentaho Data Integration and Analytics to version 10.2.0.6 or later, where the vulnerability is patched. If upgrading is not immediately feasible, implement strict access controls to limit the ability to publish new PRPT reports with embedded Groovy scripts to only fully trusted administrators. Employ network segmentation and firewall rules to restrict access to the Pentaho server to trusted IP addresses and internal networks. Monitor logs for unusual Groovy script executions or report publishing activities. Disable or restrict Groovy scripting capabilities within reports if possible, or apply application-layer controls to validate and sanitize scripts before execution. Conduct regular audits of user privileges to ensure that only necessary users have high-level permissions. Additionally, implement intrusion detection systems (IDS) and endpoint detection and response (EDR) solutions to detect potential exploitation attempts. Finally, maintain an incident response plan tailored to data analytics platform compromises.