CVE-2022-43939

HIGH KEV NUCLEI

Hitachi Vantara Pentaho <9.4.0.1-9.3.0.2 - SSRF

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2022-43939 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 3, 2025. EIP tracks 3 public exploits from researchers including dwbzn, Harry Withington, dwbzn, jheysel-r7, including a Metasploit module exploits/multi/http/pentaho_business_server_authbypass_and_ssti. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages CVE-2022-43769 and CVE-2022-43939 to achieve unauthenticated remote code execution (RCE) via Server-Side Template Injection (SSTI) in Pentaho BA Server EE 9.3.0.0-428. The exploit sends a crafted HTTP request to execute arbitrary commands on the target system.

Description

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x contain security restrictions using non-canonical URLs which can be circumvented.

Exploits (3)

exploitdb WORKING POC
by dwbzn · textwebappsjsp
https://www.exploit-db.com/exploits/51350

This exploit leverages CVE-2022-43769 and CVE-2022-43939 to achieve unauthenticated remote code execution (RCE) via Server-Side Template Injection (SSTI) in Pentaho BA Server EE 9.3.0.0-428. The exploit sends a crafted HTTP request to execute arbitrary commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Pentaho BA Server EE 9.3.0.0-428
No auth needed
Prerequisites: Network access to the target Pentaho BA Server · Target must be running Pentaho BA Server EE 9.3.0.0-428
devstral-2 · analyzed Feb 16, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/dwbzn/pentaho-exploits

This repository contains functional exploit code for multiple CVEs in Pentaho BA Server, including unauthenticated RCE via SSTI (CVE-2022-43769) and authenticated RCE via Groovy scripting (CVE-2022-43938). The exploits are well-documented and reference technical research from Aura Information Security.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Pentaho BA Server EE 9.3.0.0-428
No auth needed
Prerequisites: Network access to Pentaho server · For authenticated exploits: valid JSESSIONID with appropriate privileges
devstral-2 · analyzed Feb 25, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Harry Withington, dwbzn, jheysel-r7 · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/pentaho_business_server_authbypass_and_ssti.rb

This Metasploit module exploits an authentication bypass (CVE-2022-43939) and Server Side Template Injection (SSTI) (CVE-2022-43769) in Pentaho Business Server to achieve unauthenticated remote code execution. It leverages a flawed regex in the authentication mechanism and ThymeLeaf template injection to execute arbitrary commands.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Hitachi Vantara Pentaho Business Analytics Server prior to 9.4.0.1 and 9.3.0.2, including 8.3.x
No auth needed
Prerequisites: Network access to the target server · Pentaho Business Server with vulnerable versions
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Hitachi Pentaho Business Analytics Server - Bypass Authorization
HIGHVERIFIEDby daffainfo
Shodan: http.favicon.hash:1749354953
FOFA: icon_hash=1749354953

References (3)

Core 3

Scores

CVSS v3 8.6
EPSS 0.9227
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact partial

Details

CISA KEV 2025-03-03
VulnCheck KEV 2023-11-17
ENISA EUVD EUVD-2022-46909
CWE
CWE-647
Status published
Products (2)
hitachi/vantara_pentaho_business_analytics_server 9.4.0.0
hitachi/vantara_pentaho_business_analytics_server < 9.3.0.2
Published Apr 03, 2023
KEV Added Mar 03, 2025
Tracked Since Feb 18, 2026