CVE-2025-9122 is a vulnerability classified under CWE-209, which involves the generation of error messages containing sensitive information. Specifically, in Hitachi Vantara Pentaho Data Integration and Analytics Community Dashboard Framework versions prior to 10.2.0.4 (including 9.3.0.x and 8.3.x), the GetCdfResource servlet improperly handles errors by displaying the full server stack trace to the client. This stack trace can include sensitive details such as file paths, configuration data, internal class names, and other implementation specifics. Such information disclosure can facilitate attackers in understanding the internal workings of the application, enabling more effective exploitation of other vulnerabilities or targeted attacks. The vulnerability is remotely exploitable over the network without requiring authentication or user interaction, increasing its risk profile. However, it does not allow direct modification of data or denial of service, limiting its impact to confidentiality. No known exploits are currently reported in the wild. The CVSS v3.1 base score is 5.3, reflecting a medium severity level due to the ease of exploitation and confidentiality impact. The vulnerability affects multiple versions of Pentaho, a widely used data integration and analytics platform, which is often deployed in enterprise environments for business intelligence and data processing tasks.

For European organizations, this vulnerability poses a risk primarily to the confidentiality of sensitive information. Disclosure of stack traces can reveal internal server architecture, software versions, and configuration details that attackers can leverage to identify further vulnerabilities or craft targeted attacks. Organizations relying on Pentaho for critical data analytics and integration may face increased reconnaissance activity, potentially leading to more severe breaches if combined with other vulnerabilities. Although the vulnerability does not directly affect data integrity or system availability, the exposure of sensitive information can undermine trust and compliance with data protection regulations such as GDPR. Industries with high data sensitivity, including finance, healthcare, and government sectors, are particularly vulnerable. The ease of remote exploitation without authentication means attackers can probe systems externally, increasing the attack surface. This may lead to increased targeted attacks against European enterprises using affected Pentaho versions, especially if patches are not applied promptly.

The primary mitigation is to upgrade Hitachi Vantara Pentaho Data Integration and Analytics to version 10.2.0.4 or later, where this vulnerability has been addressed. If immediate upgrade is not feasible, organizations should implement custom error handling to suppress detailed stack traces from being displayed to end users, ensuring only generic error messages are shown. Web application firewalls (WAFs) can be configured to detect and block requests that trigger error stack traces or suspicious servlet access patterns. Conduct thorough code reviews and configuration audits to verify that error handling follows security best practices. Additionally, restrict access to the GetCdfResource servlet to trusted networks or authenticated users where possible. Monitor logs for unusual error patterns that may indicate exploitation attempts. Educate development and operations teams about secure error handling to prevent similar issues in future deployments. Finally, maintain an up-to-date inventory of Pentaho versions in use across the organization to prioritize patching efforts.