CVE-2025-24910 – This vulnerability allows attackers to perform ... (How to Fix)

Q: What is the severity of CVE-2025-24910?

CVE-2025-24910 has a CVSS score of 4.9 (MEDIUM). This vulnerability allows attackers to perform XML External Entity (XXE) attacks against Hitachi Vantara Pentaho Business Analytics Server. By submitting specially crafted XML files, attackers can read local files or trigger outbound network requests. Affected systems include Pentaho Business Analytics Server versions before 10.2.0.2, including 9.3.x and 8.3.x.

📋 TL;DR

This vulnerability allows attackers to perform XML External Entity (XXE) attacks against Hitachi Vantara Pentaho Business Analytics Server. By submitting specially crafted XML files, attackers can read local files or trigger outbound network requests. Affected systems include Pentaho Business Analytics Server versions before 10.2.0.2, including 9.3.x and 8.3.x.

💻 Affected Systems

Products:

Hitachi Vantara Pentaho Business Analytics Server

Versions: Versions before 10.2.0.2, including 9.3.x and 8.3.x

Operating Systems: All operating systems running Pentaho

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability affects the Pentaho Data Integration MessageSourceCrawler component specifically.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could read sensitive local files (configuration files, credentials, database files) and potentially use the server as a proxy for network attacks or port scanning.

🟠

Likely Case

Information disclosure of local files accessible to the Pentaho server process, potentially including configuration files with credentials.

🟢

If Mitigated

Limited impact if proper network segmentation and file permissions restrict what the Pentaho process can access.

🌐 Internet-Facing: MEDIUM - While the vulnerability exists, exploitation requires submitting XML to the vulnerable endpoint, which may have authentication requirements.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this to read sensitive files on the Pentaho server or use it for internal network reconnaissance.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

XXE exploitation is well-understood with standard payloads, but specific endpoint access requirements may vary.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.2.0.2

Vendor Advisory: https://support.pentaho.com/hc/en-us/articles/35782683750541--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Restriction-of-XML-External-Entity-Reference-Versions-before-10-2-0-2-including-9-3-x-Impacted-CVE-2025-24910

Restart Required: Yes

Instructions:

1. Download Pentaho Business Analytics Server version 10.2.0.2 or later from official sources. 2. Backup current installation and data. 3. Install the updated version following vendor documentation. 4. Restart the Pentaho service.

🔧 Temporary Workarounds

Disable DTD Processing

all

Configure XML parsers to disable DTD and external entity processing

Set XML parser properties: FEATURE_SECURE_PROCESSING = true, disallow-doctype-decl = true, external-general-entities = false, external-parameter-entities = false

Input Validation

all

Implement strict input validation to reject XML containing DOCTYPE declarations or external entity references

🧯 If You Can't Patch

Implement network segmentation to restrict Pentaho server's access to sensitive internal resources
Apply strict file system permissions to limit what files the Pentaho process user can read

🔍 How to Verify

Check if Vulnerable:

Check Pentaho version via admin console or by examining installation files. Versions before 10.2.0.2 are vulnerable.

Check Version:

Check Pentaho console or examine pentaho-server/tomcat/webapps/pentaho/META-INF/maven/org.pentaho/pentaho-platform/pom.properties

Verify Fix Applied:

Confirm installation of version 10.2.0.2 or later and test XXE payloads against MessageSourceCrawler endpoints.

📡 Detection & Monitoring

Log Indicators:

XML parsing errors containing file:// or http:// references
Unusual file access patterns by Pentaho process
Outbound HTTP requests from Pentaho server to unusual destinations

Network Indicators:

XML payloads containing DOCTYPE or ENTITY declarations sent to Pentaho endpoints
Unexpected outbound connections from Pentaho server

SIEM Query:

source="pentaho" AND (message="*DOCTYPE*" OR message="*ENTITY*" OR message="file://*" OR message="http://*")

📊 Metadata

CVE ID: CVE-2025-24910

CVSS v3 Score: 4.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-611

EPSS Score: 0.2% exploit probability (41.9th percentile)

Published: April 16, 2025

Last Updated: April 17, 2025

🔗 References

https://support.pentaho.com/hc/en-us/articles/35782683750541--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Restriction-of-XML-External-Entity-Reference-Versions-before-10-2-0-2-including-9-3-x-Impacted-CVE-2025-24910

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-24910, you might also want to check these: