External risk intelligence

Pentaho Data Integration could allow internal attacker to run malicious code

CVE advisorySeverity: HIGH (CVSS 7.2)

CVE-2025-11159

An internal attacker with administrative access to Pentaho Data Integration & Analytics could exploit a flaw in database connection settings to run malicious code. This could allow them to take full control of the host server and access sensitive information.

2Halo Surface Signal

Hitachi Vantara Pentaho Data Integration And Analytics

before 10.2.0.7

External exposure likelihood

Halo Surface Signal score for CVE-2025-11159

This vulnerability requires an attacker to possess authenticated data source administrator privileges. Because the exploit relies on internal configuration actions within the application rather than unauthenticated, public-facing network requests, direct exposure of this attack vector to the public internet is uncommon.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

Hitachi Vantara Pentaho Data Integration & Analytics has a vulnerability in its H2 database JDBC driver. This issue allows for the execution of external scripts when a data source administrator creates a new connection. This is a significant concern because it could lead to unauthorized code execution within the affected systems.

  • Allows unauthorized code execution.
  • Affects data source administrators.
  • Requires existing administrator access.

Attack Path

How an attacker could exploit the issue

An attacker with administrator access to Pentaho Data Integration could exploit this by configuring a malicious data source, allowing them to execute arbitrary code on the server when the JDBC driver connects. This could lead to full system compromise.

  • Requires administrator privileges.
  • Targets data source creation.
  • JDBC driver connection is the trigger.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability requires authenticated administrator privileges to exploit, making its direct weaponization for widespread public attacks less likely. Attackers typically favor vulnerabilities that allow unauthenticated access or exploit public-facing services for maximum impact. While sophisticated attackers might target specific organizations with this, it's not a prime candidate for broad, opportunistic campaigns.

  • Requires authenticated access.
  • Not a public-facing exploit.
  • Exploitation is complex.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize immediate investigation for signs of exploitation of Hitachi Vantara Pentaho Data Integration & Analytics, focusing on any newly created H2 database connections by administrators. Given the critical severity and potential for external script execution, isolate affected services if any compromise is detected or if patching is delayed.

  • Review logs for suspicious connection creations.
  • Block or restrict new H2 connections.
  • Apply patch version 10.2.0.7 or 11.0.0.0.

Frequently asked questions

What is the nature of the security vulnerability in Hitachi Vantara Pentaho Data Integration & Analytics?

Hitachi Vantara Pentaho Data Integration & Analytics contains a vulnerability within its H2 database JDBC driver. This vulnerability allows for the execution of external scripts when a data source administrator establishes a new connection, potentially leading to unauthorized code execution.

How is the external script execution vulnerability triggered in Pentaho Data Integration?

The vulnerability is triggered when a data source administrator creates a new connection to an H2 database within Hitachi Vantara Pentaho Data Integration & Analytics. The JDBC driver's handling of this new connection can be exploited to execute external scripts.

What is the potential impact of this Pentaho Data Integration vulnerability?

Successful exploitation of this vulnerability could allow an attacker with administrator privileges to execute arbitrary code on the server. This could lead to a full system compromise.

How relevant is CVE-2025-11159 for widespread exploitation, and what is the practical mitigation?

This vulnerability is considered unlikely to be widely exploited because it requires authenticated data source administrator privileges. Remediation involves patching to version 10.2.0.7 or 11.0.0.0, and investigating logs for suspicious new H2 database connections created by administrators.

What actions should be taken to address the Pentaho Data Integration vulnerability?

Immediate actions include investigating for signs of exploitation by reviewing logs for suspicious H2 database connection creations by administrators. If compromise is detected or patching is delayed, isolate affected services. The definitive solution is to apply patch version 10.2.0.7 or 11.0.0.0.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified