August 29, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Multiple Microsoft Products Vulnerabilities
April 17, 2025
ICS: Multiple Siemens TeleControl Server Vulnerabilities
April 17, 2025
Multiple Microsoft Products Vulnerabilities
April 17, 2025
ICS: Multiple Siemens TeleControl Server Vulnerabilities
April 17, 2025
Severity
High
Analysis Summary
CVE-2025-24907 CVSS:6.8
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.2, including 9.3.x and 8.3.x, do not sanitize a user input used as a file path through the CGG Draw API.
CVE-2025-24908 CVSS:6.8
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.2, including 9.3.x and 8.3.x, do not sanitize a user input used as a file path through the UploadFile service.
CVE-2025-24909 CVSS:4.4
Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.2, including 9.3.x and 8.3.x, allow a malicious URL to inject content into the Analyzer plugin interface.
CVE-2025-24910 CVSS:4.9
Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.2, including 9.3.x and 8.3.x, do not correctly protect Pentaho Data Integration MessageSourceCrawler against out-of-band XML External Entity Reference.
CVE-2025-24911 CVSS:4.9
Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.2, including 9.3.x and 8.3.x, do not correctly protect Data Access XMLParserFactoryProducer against out-of-band XML External Entity Reference.
CVE-2025-0756 CVSS:9.1
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.2, including 9.3.x and 8.3.x, do not restrict JNDI identifiers during the creation of platform data sources.
CVE-2025-0757 CVSS:4.4
Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.2, including 9.3.x and 8.3.x, allow a malicious URL to inject content into the Analyzer plugin interface.
CVE-2025-0758 CVSS:6.1
Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.2, including 9.3.x and 8.3.x, is installed with Karaf JMX beans enabled and accessible by default.
Impact
- Gain Access
- Code Execution
- Cross-Site Scripting
Indicators of Compromise
CVE
CVE-2025-24907
CVE-2025-24908
CVE-2025-24909
CVE-2025-24910
CVE-2025-24911
CVE-2025-0756
CVE-2025-0757
CVE-2025-0758
Affected Vendors
Hitachi
Affected Products
- Hitachi Vantara Pentaho Business Analytics Server 1.0 – 9.4
- Hitachi Vantara Pentaho Business Analytics Server 10.0 – 10.2.0.2
- Hitachi Vantara Pentaho Data Integration and Analytics - 10.2.0.2
Remediation
Refer to Hitachi Energy Website for patch, upgrade, or suggested workaround information.