CVE-2022-43939
published 2023-04-03CVE-2022-43939: Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x contain security restrictions using non-canonical URLs…
PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-03-24
Exploited in the wild
EPSS
92.27%
99.8th percentile
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x contain security restrictions using non-canonical URLs which can be circumvented.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hitachi | vantara_pentaho_business_analytics_server | < 9.3.0.2 | 9.3.0.2 |
| hitachi | vantara_pentaho_business_analytics_server | — | — |
| hitachi_vantara | pentaho_business_analytics_server | >= 1.0 < 9.3.0.2 | 9.3.0.2 |
| hitachi_vantara | pentaho_business_analytics_server | >= 9.4.0.0 < 9.4.0.1 | 9.4.0.1 |
Detection & IOCsextracted from sources · hover to see the quote
path/pentaho/api/ldap/config/ldapTreeNodeChildren/
commandT(java.lang.Runtime).getRuntime().exec()
othershodan: http.favicon.hash:1749354953
otherfofa: icon_hash=1749354953
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Hitachi Vantara Pentaho Business Analytics Server Authorization Bypass and Remote Code Execution Attempt (CVE-2022-43769, 2022-43939)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pentaho/api/ldap/config/ldapTreeNodeChildren/"; fast_pattern; startswith; content:"require"; within:50; content:"js|3f|url|3d|"; within:50; content:"|28|java.lang.Runtime|29 2e|getRuntime|28 29 2e|exec|28|"; within:200; reference:cve,2022-43939; reference:cve,2022-437969; reference:url,attackerkb.com/topics/JGGe0nRNNv/cve-2022-43939; reference:url,attackerkb.com/topics/hy6nWcCo30/cve-2022-43769; reference:cve,2022-43769; classtype:attempted-admin; sid:2060594; rev:1; metadata:affected_product Hitachi_Vantara_Pentaho_Business_Analytics_Server, attack_target Server, tls_state plaintext, created_at 2025_03_05, cve CVE_2022_43769, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2025_03_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →The auth bypass regex allows any URL ending in '/' followed by 'require', optionally '-js' or '-cfg', any character, then 'js', optionally '?' and attacker-controlled parameters — monitor for non-canonical URL paths matching this pattern targeting the Pentaho API. ↗
- →RCE is achieved via a GET request to /api/ldap/config/ldapTreeNodeChildren with the 'url' parameter set to Thymeleaf SSTI template code invoking java.lang.Runtime.getRuntime().exec() — inspect query parameters on this endpoint for template injection payloads. ↗
- →Exploitation activity was first observed December 6, 2024, with 15 IPs classified 100% malicious; top source countries are Singapore, Hong Kong, and United States — use these signals for threat hunting and IP blocklist enrichment. ↗
- →Nuclei detection: confirm Pentaho login page is present (HTTP 200 with body containing 'Pentaho User Console - Login'), then probe /pentaho/api/ldap/config/ldapTreeNodeChildren/require.js and check for HTTP 200 response with body '{}' and headers containing 'Path=/pentaho' and 'application/json'.
- ·The exploit only works on the Enterprise Edition of Pentaho BA Server; Community Edition is not confirmed vulnerable. ↗
- ·Observed exploitation activity for CVE-2022-43939 and CVE-2022-43769 is identical — both CVEs are chained in a single exploit chain and cannot be easily separated in detection. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.6HIGH
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r7cq-76xj-2g24: Hitachi Vantara Pentaho Business Analytics Server versions before 9
ghsa_unreviewed·2023-04-03
CVE-2022-43939 [CRITICAL] CWE-647 GHSA-r7cq-76xj-2g24: Hitachi Vantara Pentaho Business Analytics Server versions before 9
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x contain security restrictions using non-canonical URLs which can be circumvented.
VulnCheck
Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
vulncheck·2022·CVSS 8.6
CVE-2022-43939 [HIGH] CWE-647 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
Hitachi Vantara Pentaho BA Server contains a use of non-canonical URL paths for authorization decisions vulnerability that enables an attacker to bypass authorization.
Affected: Hitachi Vantara Pentaho Business Analytics (BA) Server
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-17&host_type=src&vulnerability=cve-2022-43939; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-23&host_type=src&vulnerability=cve-2022-43939; https://dashboard.sh
CISA
Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
cisa·2025-03-03·CVSS 9.8
CVE-2022-43939 [CRITICAL] CWE-647 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
Vulnerability: Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
Affected: Hitachi Vantara Pentaho Business Analytics (BA) Server
Hitachi Vantara Pentaho BA Server contains a use of non-canonical URL paths for authorization decisions vulnerability that enables an attacker to bypass authorization.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://support.pentaho.com/hc/en-us/articles/14455394120333--Resolved-Pentaho-BA-Server-Use-of-Non-Canonical-URL-Paths-for-Authorization-Decisions-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43939- ; https://nvd.nist.gov/vuln/detail/CVE-2022-43939
Remediation Du
Suricata
ET WEB_SPECIFIC_APPS Hitachi Vantara Pentaho Business Analytics Server Authorization Bypass and Remote Code Execution Attempt (CVE-2022-43769, 2022-43939)
suricata·2025-03-05·CVSS 8.8
CVE-2022-43939 [HIGH] ET WEB_SPECIFIC_APPS Hitachi Vantara Pentaho Business Analytics Server Authorization Bypass and Remote Code Execution Attempt (CVE-2022-43769, 2022-43939)
ET WEB_SPECIFIC_APPS Hitachi Vantara Pentaho Business Analytics Server Authorization Bypass and Remote Code Execution Attempt (CVE-2022-43769, 2022-43939)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Hitachi Vantara Pentaho Business Analytics Server Authorization Bypass and Remote Code Execution Attempt (CVE-2022-43769, 2022-43939)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pentaho/api/ldap/config/ldapTreeNodeChildren/"; fast_pattern; startswith; content:"require"; within:50; content:"js|3f|url|3d|"; within:50; content:"|28|java.lang.Runtime|29 2e|getRuntime|28 29 2e|exec|28|"; within:200; reference:cve,2022-43939; reference:cve,2022-437969; reference:url,attackerkb.com/topics/JGGe0nRNNv/cve-2022-43939; reference:url,attackerkb.co
Exploit-DB
Pentaho BA Server EE 9.3.0.0-428 - Remote Code Execution (RCE) (Unauthenticated)
exploitdb·2023-04-08·CVSS 8.8
CVE-2022-43939 [HIGH] Pentaho BA Server EE 9.3.0.0-428 - Remote Code Execution (RCE) (Unauthenticated)
Pentaho BA Server EE 9.3.0.0-428 - Remote Code Execution (RCE) (Unauthenticated)
---
# Exploit Title: Pentaho BA Server EE 9.3.0.0-428 - Remote Code Execution (RCE) (Unauthenticated)
# Author: dwbzn
# Date: 2022-04-04
# Vendor: https://www.hitachivantara.com/
# Software Link: https://www.hitachivantara.com/en-us/products/lumada-dataops/data-integration-analytics/download-pentaho.html
# Version: Pentaho BA Server 9.3.0.0-428
# CVE: CVE-2022-43769, CVE-2022-43939
# Tested on: Windows 11
# Credits: https://research.aurainfosec.io/pentest/pentah0wnage
# NOTE: This only works on the enterprise edition. Haven't tested it on Linux, but it should work (don't use notepad.exe).
# Unauthenticated RCE via SSTI using CVE-2022-43769 and CVE-2022-43939 (https://research.aurainfosec.io/pentest/pentah0w
Nuclei
Hitachi Pentaho Business Analytics Server - Bypass Authorization
nuclei·CVSS 7.2
CVE-2022-43939 [HIGH] Hitachi Pentaho Business Analytics Server - Bypass Authorization
Hitachi Pentaho Business Analytics Server - Bypass Authorization
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x contain security restrictions using non-canonical URLs which can be circumvented.
Template:
id: CVE-2022-43939
info:
name: Hitachi Pentaho Business Analytics Server - Bypass Authorization
author: daffainfo
severity: high
description: |
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x contain security restrictions using non-canonical URLs which can be circumvented.
impact: |
Unauthenticated attackers can bypass authorization restrictions using non-canonical URL paths to access protected administrative endpoints in Hitachi Pentaho Business Analytics Server, potentially
Metasploit
Pentaho Business Server Auth Bypass and Server Side Template Injection RCE
metasploit·CVSS 7.2
CVE-2022-43939 [HIGH] Pentaho Business Server Auth Bypass and Server Side Template Injection RCE
Pentaho Business Server Auth Bypass and Server Side Template Injection RCE
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x is vulnerable to an authentication bypass (CVE-2022-43939) and a Server Side Template Injection (SSTI) vulnerability (CVE-2022-43769) that can be chained together to achieve unauthenticated code execution as the user running the Pentaho Business Analytics Server. The first vulnerability (CVE-2022-43939) is an authentication bypass which stems from a regex that allows any URL that ends in "/", followed by "require", optionally "-js" or "-cfg", any character, and then the string "js" followed optionally by "?" and then any characters of the attacker's choice. The second (CVE-2022-43769) is a server side template i
Checkpoint
10th March – Threat Intelligence Report
blogs_checkpoint·2025-03-10
CVE-2025-22224 10th March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 10th March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 10th March, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
The City of Mission, Texas, has declared a local state of emergency following a severe cybersecurity incident that threatens to expose protected personal information, health records, and other critical data managed by city departments. The emergency declaration was issued by Mayor Norie Gonzalez Garza on March 4, 2025, after
Greynoiseio
GreyNoise Observes Exploitation of Three Newly Added KEV Vulnerabilities
blogs_greynoiseio·2025-03-04·CVSS 8.8
[HIGH] GreyNoise Observes Exploitation of Three Newly Added KEV Vulnerabilities
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://packetstormsecurity.com/files/172296/Pentaho-Business-Server-Authentication-Bypass-SSTI-Code-Execution.htmlhttps://support.pentaho.com/hc/en-us/articles/14455394120333--Resolved-Pentaho-BA-Server-Use-of-Non-Canonical-URL-Paths-for-Authorization-Decisions-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43939-http://packetstormsecurity.com/files/172296/Pentaho-Business-Server-Authentication-Bypass-SSTI-Code-Execution.htmlhttps://support.pentaho.com/hc/en-us/articles/14455394120333--Resolved-Pentaho-BA-Server-Use-of-Non-Canonical-URL-Paths-for-Authorization-Decisions-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43939-https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-43939
2023-04-03
Published
2025-03-03
Added to CISA KEV
Exploited in the wild