cbcvebase.
CVE-2022-43939
published 2023-04-03

CVE-2022-43939: Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x contain security restrictions using non-canonical URLs…

PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-03-24
Exploited in the wild
EPSS
92.27%
99.8th percentile
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x contain security restrictions using non-canonical URLs which can be circumvented.

Affected

4 ranges
VendorProductVersion rangeFixed in
hitachivantara_pentaho_business_analytics_server< 9.3.0.29.3.0.2
hitachivantara_pentaho_business_analytics_server
hitachi_vantarapentaho_business_analytics_server>= 1.0 < 9.3.0.29.3.0.2
hitachi_vantarapentaho_business_analytics_server>= 9.4.0.0 < 9.4.0.19.4.0.1

Detection & IOCsextracted from sources · hover to see the quote

url/pentaho/api/ldap/config/ldapTreeNodeChildren/require.js
path/pentaho/api/ldap/config/ldapTreeNodeChildren/
commandT(java.lang.Runtime).getRuntime().exec()
othershodan: http.favicon.hash:1749354953
otherfofa: icon_hash=1749354953
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Hitachi Vantara Pentaho Business Analytics Server Authorization Bypass and Remote Code Execution Attempt (CVE-2022-43769, 2022-43939)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pentaho/api/ldap/config/ldapTreeNodeChildren/"; fast_pattern; startswith; content:"require"; within:50; content:"js|3f|url|3d|"; within:50; content:"|28|java.lang.Runtime|29 2e|getRuntime|28 29 2e|exec|28|"; within:200; reference:cve,2022-43939; reference:cve,2022-437969; reference:url,attackerkb.com/topics/JGGe0nRNNv/cve-2022-43939; reference:url,attackerkb.com/topics/hy6nWcCo30/cve-2022-43769; reference:cve,2022-43769; classtype:attempted-admin; sid:2060594; rev:1; metadata:affected_product Hitachi_Vantara_Pentaho_Business_Analytics_Server, attack_target Server, tls_state plaintext, created_at 2025_03_05, cve CVE_2022_43769, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2025_03_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • The auth bypass regex allows any URL ending in '/' followed by 'require', optionally '-js' or '-cfg', any character, then 'js', optionally '?' and attacker-controlled parameters — monitor for non-canonical URL paths matching this pattern targeting the Pentaho API.
  • RCE is achieved via a GET request to /api/ldap/config/ldapTreeNodeChildren with the 'url' parameter set to Thymeleaf SSTI template code invoking java.lang.Runtime.getRuntime().exec() — inspect query parameters on this endpoint for template injection payloads.
  • Exploitation activity was first observed December 6, 2024, with 15 IPs classified 100% malicious; top source countries are Singapore, Hong Kong, and United States — use these signals for threat hunting and IP blocklist enrichment.
  • Nuclei detection: confirm Pentaho login page is present (HTTP 200 with body containing 'Pentaho User Console - Login'), then probe /pentaho/api/ldap/config/ldapTreeNodeChildren/require.js and check for HTTP 200 response with body '{}' and headers containing 'Path=/pentaho' and 'application/json'.
  • ·The exploit only works on the Enterprise Edition of Pentaho BA Server; Community Edition is not confirmed vulnerable.
  • ·Observed exploitation activity for CVE-2022-43939 and CVE-2022-43769 is identical — both CVEs are chained in a single exploit chain and cannot be easily separated in detection.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.6HIGH
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.