Cloud Software Group has released security advisories addressing critical vulnerabilities in its Spotfire products that could allow attackers to execute arbitrary code and compromise systems. The advisories detail two distinct vulnerabilities: CVE-2025-3114 and CVE-2025-3115.
CVE-2025-3114: Spotfire Code Execution Vulnerability
The core issue lies in the potential for attackers to βcreate specially crafted files with embedded code that may execute without adequate security validation, potentially leading to system compromiseβ and a βflaw in the TERR security mechanism allows attackers to bypass sandbox restrictions, enabling the execution of untrusted code without appropriate controls.β
Successful exploitation of this vulnerability could grant attackers the ability to βexecute arbitrary code, bypass security controls, and compromise the system.β The severity of this vulnerability is reflected in its CVSS v4.0 Base Score of 9.4 (Critical).
This vulnerability affects a range of Spotfire products, including:
Spotfire Enterprise Runtime for RSpotfire Statistics ServicesSpotfire AnalystDeployment Kit used in Spotfire ServerSpotfire DesktopSpotfire for AWS MarketplaceCVE-2025-3115: Spotfire Data Function Vulnerability
This vulnerability also affects a broad spectrum of Spotfire products, including those listed for CVE-2025-3114, as well as Spotfire Service for Python and Spotfire Service for R.
The identified vulnerabilities in Spotfireβs Data Functions could allow attackers to exploit the system through βinjection vulnerabilitiesβ and βinsufficient validation of filenames during file uploads.β
Successful exploitation could enable attackers to βinject malicious code, gain control over the execution environment, and execute arbitrary files through improperly validated file uploads.β This vulnerability also has a CVSS v4.0 Base Score of 9.4 (Critical).
Mitigation Steps
Cloud Software Group has released updated versions of the affected systems to address these vulnerabilities. It is highly recommended that users upgrade to the patched versions as soon as possible.