CVE-2022-43769

HIGH KEV NUCLEI

Pentaho Business Server Auth Bypass and Server Side Template Injection RCE

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2022-43769 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 3, 2025. EIP tracks 3 public exploits from researchers including Harry Withington, dwbzn, jheysel-r7, including a Metasploit module exploits/multi/http/pentaho_business_server_authbypass_and_ssti. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits an authentication bypass (CVE-2022-43939) and Server Side Template Injection (SSTI) (CVE-2022-43769) in Pentaho Business Server to achieve unauthenticated remote code execution. It leverages a flawed regex in the authentication mechanism and ThymeLeaf template injection to execute arbitrary commands.

Description

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow certain web services to set property values which contain Spring templates that are interpreted downstream.

Exploits (3)

metasploit WORKING POC EXCELLENT
by Harry Withington, dwbzn, jheysel-r7 · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/pentaho_business_server_authbypass_and_ssti.rb

This Metasploit module exploits an authentication bypass (CVE-2022-43939) and Server Side Template Injection (SSTI) (CVE-2022-43769) in Pentaho Business Server to achieve unauthenticated remote code execution. It leverages a flawed regex in the authentication mechanism and ThymeLeaf template injection to execute arbitrary commands.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Hitachi Vantara Pentaho Business Analytics Server prior to 9.4.0.1 and 9.3.0.2, including 8.3.x
No auth needed
Prerequisites: Network access to the target server · Pentaho Business Server with vulnerable versions
devstral-2 · analyzed Apr 24, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/dwbzn/pentaho-exploits

This repository contains functional exploit code for CVE-2022-43769, an unauthenticated SSTI vulnerability in Pentaho Server 9.3.0.0-324, leading to RCE. The PoC demonstrates template injection via a crafted URL, executing arbitrary commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Pentaho Server 9.3.0.0-324
No auth needed
Prerequisites: Network access to the target Pentaho Server
devstral-2 · analyzed Feb 25, 2026 Full analysis →
exploitdb WORKING POC
webappsjsp
https://www.exploit-db.com/exploits/51350

This exploit leverages unauthenticated Server-Side Template Injection (SSTI) in Pentaho BA Server EE 9.3.0.0-428 to achieve Remote Code Execution (RCE) by injecting a malicious payload into the `url` parameter of the `/api/ldap/config/ldapTreeNodeChildren/require.js` endpoint.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Pentaho BA Server EE 9.3.0.0-428
No auth needed
Prerequisites: Network access to the target server · Target running Pentaho BA Server EE 9.3.0.0-428
devstral-2 · analyzed Feb 19, 2026 Full analysis →

Nuclei Templates (1)

Hitachi Pentaho Business Analytics Server - Remote Code Execution
HIGHVERIFIEDby dwbzn
Shodan: http.favicon.hash:1749354953
FOFA: icon_hash=1749354953

References (3)

Core 3

Scores

CVSS v3 8.8
EPSS 0.9398
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2025-03-03
VulnCheck KEV 2025-03-03
ENISA EUVD EUVD-2022-46739
CWE
CWE-74 CWE-94
Status published
Products (2)
hitachi/vantara_pentaho_business_analytics_server 9.4.0.0
hitachi/vantara_pentaho_business_analytics_server 8.3.0.0 - 9.3.0.2
Published Apr 03, 2023
KEV Added Mar 03, 2025
Tracked Since Feb 18, 2026