Two RCE Vulnerabilities Found in Open-Source BI Tool DataEase

Security researchers have disclosed two critical vulnerabilities in DataEase, an open-source business intelligence (BI) tool designed for data visualization and analysis. The flaws—tracked as CVE-2025-57772 and CVE-2025-57773—could allow attackers to achieve remote code execution (RCE) or perform arbitrary file writes through crafted payloads.

The first flaw, CVE-2025-57772, arises from how DataEase parses JDBC connection logic within the CalciteProvider#getConnection method. Researchers discovered that by manipulating the type parameter to appear as Oracle, attackers can bypass DataEase’s filtering logic and still inject a malicious H2 JDBC URL.

The report explains that “this method does not use H2’s filtering logic, naturally bypassing the previous patch and returning our H2 JDBC URL.” This allows an attacker to directly embed keywords such as INIT and RUNSCRIPT—normally filtered by H2—into a crafted payload, enabling malicious SQL scripts to be executed remotely.

A working proof-of-concept shows how the vulnerability could be abused to launch RCE by passing a malicious JDBC connection string through the /de2api/datasource/validate API.

The second vulnerability, CVE-2025-57773, is even more dangerous, enabling arbitrary file writes via deserialization attacks. It occurs when DB2 database parameters are not filtered correctly, allowing JNDI injection that chains into an AspectJWeaver deserialization exploit.

As the report notes, “JNDI triggers an AspectJWeaver deserialization attack, writing to various files.” This vulnerability requires the presence of commons-collections 4.x and aspectjweaver-1.9.22.jar, with the issue reproducible in environments where AspectJWeaver versions are below 1.9.4.

Attackers could leverage this flaw to overwrite arbitrary files, opening the door to backdoors, persistent malware, or privilege escalation inside vulnerable DataEase deployments.

Both vulnerabilities impact DataEase ≤ 2.10.11. Users are strongly advised to upgrade to v2.10.12, where patches have been applied.

Related Posts:

• Multi DataEase Flaws: RCE & Bypass Vulnerabilities Threaten BI Platform via JDBC
• CVE-2024-56511: Critical Authentication Bypass Vulnerability in DataEase
• Cracking Power BI: Techniques and Tools for Creating Tables from Existing Data
• From Magecart Mayhem to Ransomware Revamp: Inside ESET’s H2 2023 Cyber Threatscape
• Apple’s Huge H2 2025 Lineup: iPhone 17 Air, Apple Watch Ultra 3 (5G/Satellite), M5 Macs & More

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy