CVE-2025-11158

Critical

Published: 10 March 2026

Published

10 March 2026

Modified

06 May 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0002 5.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-11158 is a critical-severity Missing Authorization (CWE-862) vulnerability in Hitachi Vantara Pentaho Data Integration And Analytics. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the vulnerability by requiring timely application of vendor patches or upgrades to versions like 10.2.0.6 that restrict arbitrary Groovy scripts in PRPT reports.

AC-3 Access Enforcement good match

prevent

Enforces access control policies to restrict user-published PRPT reports from containing and executing unauthorized Groovy scripts, addressing the core missing authorization flaw.

AC-6 Least Privilege partial match

prevent

Limits privileges required to publish PRPT reports, reducing the number of high-privilege accounts (PR:H) that could be exploited for RCE via arbitrary script insertion.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

Missing authorization allows arbitrary Groovy script execution in published PRPT reports, directly enabling RCE via T1190 (public-facing app exploitation) and T1059 (scripting interpreter abuse).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6, including 9.3.x and 8.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of arbitrary scripts and leading to a RCE.

Deeper analysisAI

CVE-2025-11158 is a missing authorization vulnerability (CWE-862) affecting Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6, including the 9.3.x and 8.3.x branches. The flaw arises because the software does not restrict Groovy scripts in new PRPT reports published by users, enabling the insertion of arbitrary scripts. This leads to remote code execution (RCE), with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

An attacker with high privileges, such as an authenticated user capable of publishing reports, can exploit this over the network with low complexity and no user interaction required. By crafting a malicious PRPT report containing arbitrary Groovy scripts, the attacker achieves RCE, gaining high-impact access to confidentiality, integrity, and availability across the changed scope.

Hitachi Vantara's advisory confirms the issue is resolved in version 10.2.0.6, recommending upgrades for affected versions prior to that release. Additional details are available in the vendor support article and an OX Security blog post analyzing the vulnerability.