CVE-2025-0756
Published: 16 April 2025
Summary
CVE-2025-0756 is a critical-severity Resource Injection (CWE-99) vulnerability. Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 28.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Hitachi Vantara Pentaho Data Integration & Analytics versions prior to 10.2.0.2, including the 9.3.x and 8.3.x branches, contain an improper control of resource identifiers vulnerability (CWE-99). The product fails to restrict JNDI identifiers supplied when platform data sources are created, allowing an upstream input to reference resources outside the intended control sphere.
An authenticated attacker with administrative privileges on the Pentaho server can supply a crafted JNDI name that resolves to arbitrary local or remote resources. Successful exploitation grants the ability to read or modify configuration files and other sensitive data, and can be escalated to remote code execution on the underlying host.
The vendor advisory directs customers to upgrade to version 10.2.0.2 or later, which enforces proper validation of JNDI identifiers during data-source creation.
EPSS for the CVE rose from a low baseline of 0.0066 to a peak of 0.0166, indicating increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-11536
Vulnerability details
Overview The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. (CWE-99) Description…
more
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.2, including 9.3.x and 8.3.x, do not restrict JNDI identifiers during the creation of platform data sources. Impact An attacker could gain access to or modify sensitive data or system resources. This could allow access to protected files or directories including configuration files and files containing sensitive information, which can lead to remote code execution by unauthorized users.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.