1. Home
  2. Latest Cyber Updates and blog by Cyberdudebivash
  3. CVE-2025-0756 # Hitachi Vantara Vulnerability

CVE-2025-0756 # Hitachi Vantara Vulnerability

18 Apr
18Apr

Hitachi Vantara has issued a critical security advisory addressing a serious vulnerability in its widely used Pentaho Data Integration & Analytics platform. Tracked as CVE-2025-0756 with a CVSS score of 9.1, this flaw stems from improper control over resource identifiersβ€”commonly referred to as a β€œResource Injection” vulnerabilityβ€”and can lead to remote code execution under certain conditions.
β€œThe product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control,” the advisory explains.
The vulnerability impacts the following versions:
Pentaho Data Integration & Analytics versions prior to 10.2.0.2All releases in the 9.3.x and 8.3.x branchesAt the core of this issue is the improper handling of Java Naming and Directory Interface (JNDI) identifiers during the creation of platform data sources. The platform fails to validate the identifiers’ origin or destination, potentially allowing an attacker to redirect application logic or system processes to unauthorized or malicious endpoints.
β€œHitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.2, including 9.3.x and 8.3.x, do not restrict JNDI identifiers during the creation of platform data sources,” reads the official disclosure.
The consequences of exploiting this flaw can be severe:
Unauthorized access to protected configuration filesExposure of sensitive dataManipulation of internal data sourcesPotential execution of remote codeβ€œAn attacker could gain access to or modify sensitive data or system resources,” the advisory warns. β€œThis could allow access to protected files or directories including configuration files and files containing sensitive information, which can lead to remote code execution by unauthorized users.”
Such an attack could undermine the confidentiality and integrity of enterprise data pipelines managed within Pentaho environments.
The safest course of action is to install version 10.2.0.2 or later, which contains the patch.

Cyber Security Vulnerabilities
18Mar
Cybersecurity in Moon Exploration
18Mar
AI Code Editors has been used to trigger New 'Rules File Backdoor' Attack
19Mar
BADBOX 2.0 Botnet Infects 1 Million Android Devices for Ad Fraud and Proxy Abuse
Comments
* The email will not be published on the website.