Cyber Resilience

CVE-2025-11158

Critical

Published: 10 March 2026

Published
10 March 2026
Modified
06 May 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0038 30.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-11158 is a critical-severity Missing Authorization (CWE-862) vulnerability in Hitachi Vantara Pentaho Data Integration And Analytics. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-11158 is a missing authorization vulnerability (CWE-862) affecting Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6, including the 9.3.x and 8.3.x branches. The flaw arises because the software does not restrict Groovy scripts in new PRPT reports published by users, enabling the insertion of arbitrary scripts. This leads to remote code execution (RCE), with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

An attacker with high privileges, such as an authenticated user capable of publishing reports, can exploit this over the network with low complexity and no user interaction required. By crafting a malicious PRPT report containing arbitrary Groovy scripts, the attacker achieves RCE, gaining high-impact access to confidentiality, integrity, and availability across the changed scope.

Hitachi Vantara's advisory confirms the issue is resolved in version 10.2.0.6, recommending upgrades for affected versions prior to that release. Additional details are available in the vendor support article and an OX Security blog post analyzing the vulnerability.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6, including 9.3.x and 8.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of arbitrary scripts and leading to a RCE.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Missing authorization allows arbitrary Groovy script execution in published PRPT reports, directly enabling RCE via T1190 (public-facing app exploitation) and T1059 (scripting interpreter abuse).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-11159Same product: Hitachi Vantara Pentaho Data Integration And Analytics
CVE-2024-11816Shared CWE-862
CVE-2025-53825Shared CWE-862
CVE-2026-34184Shared CWE-862
CVE-2025-69311Shared CWE-862
CVE-2026-3266Shared CWE-862
CVE-2026-45438Shared CWE-862
CVE-2025-23477Shared CWE-862
CVE-2025-68834Shared CWE-862
CVE-2026-22663Shared CWE-862

Affected Assets

hitachi
vantara pentaho data integration and analytics
≤ 10.2.0.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely application of vendor patches or upgrades to versions like 10.2.0.6 that restrict arbitrary Groovy scripts in PRPT reports.

prevent

Enforces access control policies to restrict user-published PRPT reports from containing and executing unauthorized Groovy scripts, addressing the core missing authorization flaw.

prevent

Limits privileges required to publish PRPT reports, reducing the number of high-privilege accounts (PR:H) that could be exploited for RCE via arbitrary script insertion.

References