CVE-2022-43769

What is Hitachi Vantara Pentaho BA Server?

Hitachi Vantara Pentaho Business Analytics (BA) Server is an enterprise business intelligence and data integration platform used for reporting, dashboarding, ETL (extract, transform, load), and data analytics across large organizations. Pentaho BA Server is deployed in financial institutions, healthcare organizations, government agencies, and enterprises as the backend for centralized analytics and reporting workflows. It provides a web-based interface for accessing and managing analytics content, and it uses the Spring Framework as its Java application framework. When deployed with internet-facing access or accessible from internal networks without strict lateral movement controls, Pentaho BA Server is a high-value target: it typically has access to sensitive business data, data warehouse connections with stored credentials, and integrations with core enterprise systems.

Overview

CVE-2022-43769 is a special element injection vulnerability (CWE-74) in Hitachi Vantara Pentaho BA Server that allows an authenticated attacker with low privileges to inject Spring Framework Expression Language (SpEL) templates into Pentaho properties files, resulting in arbitrary OS command execution on the server. It is closely paired with CVE-2022-43939 (authorization bypass via non-canonical URLs), which allows an unauthenticated attacker to reach the vulnerable injection endpoint — making the combined chain a fully unauthenticated RCE. CISA added both CVEs together in March 2025, nearly two years after their April 2023 publication.

Affected Versions

Technical Details

The injection vulnerability (CWE-74) occurs in Pentaho BA Server's handling of properties files. The server allows authenticated users to modify Pentaho system properties — configuration files that control server behavior. When a Spring template expression (e.g., ${T(java.lang.Runtime).getRuntime().exec('cmd')}) is written into certain properties fields, the Spring Framework's PropertyPlaceholderConfigurer evaluates it as a Spring Expression Language (SpEL) expression rather than treating it as a literal string. This evaluation executes arbitrary Java and OS commands in the security context of the Pentaho server process.

The exploitation chain with CVE-2022-43939:

1. Bypass authentication (CVE-2022-43939) — submit a request using a non-canonical URL path (e.g., path traversal characters, URL encoding) that satisfies an authorization rule for a public path while actually reaching an administrative endpoint
2. Reach the properties injection endpoint — the authorization bypass enables access without valid credentials
3. Inject a Spring template (CVE-2022-43769) — write a Spring SpEL expression into a properties field that gets evaluated by the server
4. Achieve OS command execution — the SpEL expression is evaluated, executing an OS command (e.g., reverse shell, file write) as the Pentaho server process user

Combined, CVE-2022-43939 and CVE-2022-43769 form a pre-authentication remote code execution chain against all unpatched Pentaho BA Server installations.

Discovery

CVE-2022-43769 and CVE-2022-43939 were published together in April 2023, with both vulnerabilities covering the same affected version range (before 9.4.0.1 and 9.3.0.2) and receiving simultaneous CISA KEV addition in March 2025 — suggesting they were discovered and reported together as a paired exploit chain. The nearly 2-year gap between NVD publication and KEV addition reflects confirmed exploitation in the wild well after the patch was available.

Exploitation Context

Pentaho BA Server is a target of interest for several reasons:

• Enterprise deployments hold database credentials, data warehouse connections, and sensitive analytics data
• The server process typically runs with elevated permissions to access the data sources it reports on
• Government agency and financial sector deployments process particularly sensitive data
• Spring template injection provides immediate OS command execution without additional exploitation stages

The combination of CVE-2022-43939 (no authentication required) and CVE-2022-43769 (OS command execution via SpEL) creates a single-step unauthenticated RCE that is straightforward to automate and scan for at scale.

Remediation

1. Upgrade to Pentaho BA Server 9.4.0.1 or 9.3.0.2 — patches both CVE-2022-43769 and CVE-2022-43939; 8.3.x users must upgrade to a patched 9.x branch.
2. Restrict network access to the Pentaho web interface — the Pentaho admin interface should not be accessible from the internet; place it behind a VPN or restrict to management network IP ranges.
3. Apply authentication and authorization controls — enforce strong passwords and multi-factor authentication for all Pentaho administrative accounts.
4. Review server-side logs for exploitation indicators — look for anomalous properties file modifications, unexpected outbound network connections from the Pentaho server process, or new processes spawned by the Pentaho JVM.
5. Rotate credentials stored in Pentaho — if exploitation is suspected, rotate all database connection credentials, data source passwords, and API keys stored in the Pentaho configuration.