CVE-2025-59954 is a critical remote code execution (RCE) vulnerability affecting KnowageLabs' Knowage-Server, an open source analytics and business intelligence platform. The vulnerability exists in versions prior to 8.1.27 due to improper control over code generation within the MetaService.java component, specifically involving the unsafe use of the org.apache.commons.jxpath.JXPathContext library. This improper handling allows an attacker to inject and execute arbitrary code remotely without any authentication or user interaction. The vulnerability is classified under CWE-94 (Improper Control of Generation of Code), indicating that the application fails to properly sanitize or validate input that is used to generate executable code. The CVSS 4.0 base score of 9.3 reflects the critical nature of this flaw, with network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the ease of exploitation and the severity of impact make this a significant threat. The issue is resolved in Knowage-Server version 8.1.27, which addresses the unsafe usage of JXPathContext to prevent code injection attacks.

For European organizations using Knowage-Server versions below 8.1.27, this vulnerability poses a severe risk. Successful exploitation can lead to full system compromise, allowing attackers to execute arbitrary commands, access sensitive business intelligence data, manipulate analytics results, and disrupt critical reporting functions. This can result in data breaches, loss of data integrity, operational downtime, and potential regulatory non-compliance under GDPR due to unauthorized data access or alteration. Given Knowage's role in data analytics and decision-making, such an attack could undermine business operations and strategic decisions. The lack of required authentication and user interaction means attackers can exploit this vulnerability remotely and stealthily, increasing the risk of widespread impact within affected networks. Additionally, the high confidentiality and integrity impacts elevate the threat to organizations handling sensitive or regulated data.

European organizations should immediately verify their Knowage-Server version and upgrade to version 8.1.27 or later, where the vulnerability is patched. If immediate upgrade is not feasible, organizations should implement network-level protections such as restricting access to the Knowage-Server to trusted internal networks and applying strict firewall rules to limit exposure. Employing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious JXPathContext payloads can provide temporary mitigation. Conduct thorough input validation and sanitization on any user-supplied data interacting with the analytics platform. Regularly monitor server logs for unusual activity indicative of code injection attempts. Additionally, organizations should review and harden server configurations, disable unnecessary services, and ensure principle of least privilege is applied to the Knowage-Server process to limit potential damage from exploitation. Finally, maintain an incident response plan tailored to handle potential RCE incidents involving business intelligence platforms.