Security updates: malware attacks on Spotfire AI analysis platform possible
Various Spotfire software products are vulnerable. The developers have closed two critical vulnerabilities in current versions.
(Image: VideoFlow/Shutterstock.com)
Companies that use the Spotfire AI analysis platform should update the software for security reasons. Attackers can use two vulnerabilities in different products to compromise systems with malicious code.
Serious security problems
According to two vulnerability alerts(CVE-2025-3114 "critical", CVE-2025-3115 "critical"), Spotfire Analyst, AWS Marketplace, Deployment Kit Spotfire Server, Desktop, Enterprise Runtime, Service for Python, Service for R and Statistics Services are specifically at risk.
In both cases, attackers can execute their own code. Due to the critical classification, it can be assumed that this can be done remotely and without authentication. In order to initiate an attack, attackers must add malicious code to a file. This is then executed due to insufficient checks. Attackers can also break out of the sandbox and execute untrusted code.
Because the upload function does not sufficiently check file names in the context of the second vulnerability, attackers can upload malicious code. There are currently no reports of attackers exploiting the vulnerabilities. However, this could change quickly and admins should act promptly.
Videos by heise
Install security updates
The developers explain that they have closed the gaps in the following versions. All previous versions are vulnerable.
- Analyst 14.0.6, 14.4.2
- AWS Marketplace 14.4.2
- Deployment Kit Spotfire Server 14.0.7, 14.4.2
- Desktop 14.4.2
- Enterprise Runtime 1.17.7, 1.22.2
- Service for Python 1.17.7, 1.22.2
- Service for R 1.17.7, 1.22.2
- Statistics Services 14.0.7, 14.4.2
(des)
