Multiple Microsoft Products Vulnerabilities

April 17, 2025

ICS: Multiple Siemens TeleControl Server Vulnerabilities

April 17, 2025

ICS: Multiple Hitachi Vantara Pentaho Vulnerabilities

April 17, 2025

Severity

High

Analysis Summary

CVE-2025-24907 CVSS:6.8

Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.2, including 9.3.x and 8.3.x, do not sanitize a user input used as a file path through the CGG Draw API.

CVE-2025-24908 CVSS:6.8

Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.2, including 9.3.x and 8.3.x, do not sanitize a user input used as a file path through the UploadFile service.

CVE-2025-24909 CVSS:4.4

Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.2, including 9.3.x and 8.3.x, allow a malicious URL to inject content into the Analyzer plugin interface.

CVE-2025-24910 CVSS:4.9

Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.2, including 9.3.x and 8.3.x, do not correctly protect Pentaho Data Integration MessageSourceCrawler against out-of-band XML External Entity Reference.

CVE-2025-24911 CVSS:4.9

Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.2, including 9.3.x and 8.3.x, do not correctly protect Data Access XMLParserFactoryProducer against out-of-band XML External Entity Reference.

CVE-2025-0756 CVSS:9.1

Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.2, including 9.3.x and 8.3.x, do not restrict JNDI identifiers during the creation of platform data sources.

CVE-2025-0757 CVSS:4.4

Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.2, including 9.3.x and 8.3.x, allow a malicious URL to inject content into the Analyzer plugin interface.

CVE-2025-0758 CVSS:6.1

Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.2, including 9.3.x and 8.3.x, is installed with Karaf JMX beans enabled and accessible by default.

Impact

Gain Access
Code Execution
Cross-Site Scripting

Indicators of Compromise

CVE

CVE-2025-24907
CVE-2025-24908
CVE-2025-24909
CVE-2025-24910
CVE-2025-24911
CVE-2025-0756
CVE-2025-0757
CVE-2025-0758

Affected Vendors

Hitachi

Affected Products

Hitachi Vantara Pentaho Business Analytics Server 1.0 – 9.4
Hitachi Vantara Pentaho Business Analytics Server 10.0 – 10.2.0.2
Hitachi Vantara Pentaho Data Integration and Analytics - 10.2.0.2

Remediation

Refer to Hitachi Energy Website for patch, upgrade, or suggested workaround information.

Rewterz Annual Threat Intelligence Report 2024 - Download Now

Rewterz Annual Threat Intelligence Report 2024 - Download Now

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

iOS Activation Bug Allows Unauthenticated XML Injection

Critical Threat: Gunra Ransomware Targets Critical Sectors Worldwide – Active IOCs

Lyrix Ransomware – Active IOCs

Threat Insights

About Us

Our Leadership

CSR

Connect with Us

Multiple Microsoft Products Vulnerabilities

ICS: Multiple Siemens TeleControl Server Vulnerabilities

Severity

High

Analysis Summary

Indicators of Compromise

CVE

Affected Vendors

Affected Products

Remediation

The Wait Is Over!

The Rewterz Annual Threat Intelligence Report 2024 is finally here.