How to fix CVE-2025-11158?

Within 24 hours: Identify all Pentaho deployments and their versions; restrict PRPT report publishing to trusted administrators only. Within 7 days: Implement network segmentation to limit Pentaho server lateral movement; enable enhanced logging and monitoring for report creation/publication activities; assess upload of any suspicious PRPT files. Within 30 days: Upgrade to version 10.2.0.6 or later once thoroughly tested; conduct forensic review for unauthorized report modifications or execution artifacts.

Is Industrial affected by CVE-2025-11158?

Hitachi Vantara Pentaho users face critical remote code execution risk through malicious PRPT reports that bypass script validation.

CVE-2025-11158

CRITICAL

2026-03-10 [email protected]

9.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

CVE Published

Mar 10, 2026 - 16:23 nvd

CRITICAL 9.1

Description

Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6, including 9.3.x and 8.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of arbitrary scripts and leading to a RCE.

Analysis

Hitachi Vantara Pentaho has a missing authorization vulnerability enabling unauthorized access to data integration and analytics functions.

Technical Context

Hitachi Vantara Pentaho versions before 10.2.0.6 has a CWE-862 missing authorization vulnerability.

Affected Products

['Hitachi Vantara Pentaho < 10.2.0.6']

Remediation

Update Pentaho.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +46

POC: 0

CVE-2025-11158 vulnerability details – vuln.today

Back

CVE-2025-11158

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-11158

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code