Pentaho Business Analytics Server - Authorization Bypass (CVE-2022-43939)
48Exploiting IPs reported
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x contain security restrictions using non-canonical URLs which can be circumvented.
CrowdSec analysis
CVE-2022-43939 is a vulnerability in Hitachi Vantara Pentaho Business Analytics Server which allows attackers to bypass security restrictions through specifically crafted URLs using non-canonical forms.
CrowdSec has been tracking this vulnerability and its exploits since 17th of March 2025.
Data from the CrowdSec community indicates that exploitation of CVE-2022-43939 is highly selective and intelligence-driven. Threat actors use advanced reconnaissance and carefully choose their targets, often as part of sophisticated campaigns or advanced persistent threat operations. Additionally, according to week-over-week analysis by CrowdSec, exploitation of CVE-2022-43939 is surging. Attack volumes are spiking well above historical norms, indicating widespread and escalating interest from threat actors. CVE-2022-43939 is currently experiencing high visibility and active exploitation across the internet.
Exploitation attempts generally focus on requests to URLs containing both /pentaho/api/ldap/config/ldaptreenodechildren and /require.
Exploitation
Get real-time information about exploitation attempts and actors involved.
Protection
Find out relevant information to protect your stack against this CVE.
Blocklist
With our advanced worldwide network detection, CrowdSec can provide a list of IPs known for exploiting the vulnerability.
To increase your protection against this CVE, block exploitation attempts with this list of identified actors.