What happened

CISA added CVE-2022-43769 to the Known Exploited Vulnerabilities (KEV) catalog on 2025-03-03, signaling confirmed in-the-wild exploitation and mandating federal remediation by 2025-03-24 CISA KEV. The vulnerability affects Hitachi Vantara Pentaho Business Analytics (BA) Server and is described as a “special element injection” that enables injection of Spring templates into properties files, leading to arbitrary command execution CISA KEV NVD entry.

MITRE’s record confirms the CVE and coordinates the identifier for this issue in Pentaho BA Server MITRE CVE. NVD classifies the weakness under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), aligning with a template-injection class that can escalate to code execution when a templating engine evaluates attacker-controlled input NVD CWE-74.

Why it matters

Anything that turns templating syntax into executable logic on the server is a fast path to RCE. Here, injection into Spring-templated properties means configuration data can become code if not correctly sanitized NVD entry. Because CISA’s KEV only lists issues with observed exploitation, defenders should treat this as an active-threat item with priority patching and threat hunting CISA KEV.

BI/analytics servers often sit adjacent to data lakes and orchestration systems; compromise here can be leveraged for lateral movement and data staging. CWE-74 issues commonly evade naive input filters, especially when the downstream evaluator (the template engine) is decoupled from where validation occurs NVD CWE-74. Expect attackers to pivot from template evaluation to shell execution rapidly in environments where the BA Server runs with broad integration permissions CISA KEV.

Technical detail

• Vulnerability class: CWE-74 “Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)” NVD CWE-74. In practice, this maps to server‑side template injection against Spring-templated properties processed by Pentaho BA Server NVD entry.
• Impact: Injection of Spring templates into properties files allows arbitrary command execution when those properties are evaluated by the server-side template engine CISA KEV NVD entry.
• Exploitation posture: Inclusion in the KEV catalog denotes confirmed exploitation in the wild and elevates this CVE for immediate remediation in federal environments CISA KEV.

Mechanism at a glance: user-controllable input is written into a properties context; when Pentaho’s Spring-backed templating evaluates that context, special elements (template directives) are executed, crossing the boundary from data to code NVD CWE-74. If an attacker can influence those properties, template evaluation can be coerced into running system commands under the BA Server process NVD entry.

Defense

• Patch/mitigate now: CISA directs organizations to apply vendor mitigations or discontinue use if none are available, and FCEB agencies must complete remediation by 2025-03-24 CISA KEV.
• Reduce exposure: Restrict access to Pentaho BA Server admin and configuration endpoints and limit untrusted inputs that feed server-side templating paths associated with properties evaluation NVD CWE-74.
• Harden pipeline boundaries: Treat any path where configuration is dynamically interpolated as code-adjacent; apply strict validation and avoid passing user-controlled data into templating contexts consumed by Spring NVD entry.
• Detection and hunting:

- Look for unexpected modifications to Pentaho-related properties/config files followed closely by process execution or child processes spawned by the Java service hosting BA Server; KEV inclusion warrants proactive compromise assessment CISA KEV.

- Hunt for template syntax artifacts in configuration (for example, templating tokens appearing where literals are expected) associated with server-side evaluation flows NVD CWE-74.

- Monitor for outbound connections or command invocations originating from the BA Server after config changes or job deployments that leverage properties interpolation NVD entry.

For federal programs, align with CISA’s KEV remediation requirements and applicable BOD guidance for cloud services referenced by KEV entries to ensure timely closure and reporting CISA KEV.

Lyrie Verdict

Template injection turning properties into code is tailor-made for autonomous exploitation loops. Once a foothold writes a templated value, evaluation to execution is near-instant. Lyrie instruments for machine-speed signals that human triage will miss: high-entropy or templating tokens landing in Pentaho properties contexts; near-real-time diffs between config write and anomalous Java child process execution; and cross-signal correlation with network egress from the BA Server immediately post-evaluation CISA KEV NVD entry. Our autonomous detectors flag and contain this class of CWE-74 pathway before an operator could pivot, which is the only viable counter to rogue-AI-speed exploitation against templating engines NVD CWE-74.