Cyber Resilience

CVE-2025-0756

Critical

Published: 16 April 2025

Published
16 April 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0066 71.7th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0756 is a critical-severity Resource Injection (CWE-99) vulnerability. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 28.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Hitachi Vantara Pentaho Data Integration & Analytics versions prior to 10.2.0.2, including the 9.3.x and 8.3.x branches, contain an improper control of resource identifiers vulnerability (CWE-99). The product fails to restrict JNDI identifiers supplied when platform data sources are created, allowing an upstream input to reference resources outside the intended control sphere.

An authenticated attacker with administrative privileges on the Pentaho server can supply a crafted JNDI name that resolves to arbitrary local or remote resources. Successful exploitation grants the ability to read or modify configuration files and other sensitive data, and can be escalated to remote code execution on the underlying host.

The vendor advisory directs customers to upgrade to version 10.2.0.2 or later, which enforces proper validation of JNDI identifiers during data-source creation.

EPSS for the CVE rose from a low baseline of 0.0066 to a peak of 0.0166, indicating increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

Overview The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. (CWE-99) Description…

more

Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.2, including 9.3.x and 8.3.x, do not restrict JNDI identifiers during the creation of platform data sources. Impact An attacker could gain access to or modify sensitive data or system resources. This could allow access to protected files or directories including configuration files and files containing sensitive information, which can lead to remote code execution by unauthorized users.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Analytics
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References