Critical Security Flaws Detected in Spotfire AI Analysis Platform

Organizations utilizing the Spotfire AI analysis platform are advised to update their software promptly to address serious security vulnerabilities. Recent findings have indicated that attackers could exploit two critical weaknesses in multiple Spotfire products to execute malicious code.

The identified security issues, classified as CVE-2025-3114 and CVE-2025-3115, highlight significant risks associated with various components, including Spotfire Analyst, AWS Marketplace, the Spotfire Server Deployment Kit, Desktop, Enterprise Runtime, and related services for Python and R, as well as Statistics Services.

Both vulnerabilities allow unauthorized users to run their code remotely without prior authentication, raising alarms about potential exploitation. Attackers can initiate an attack by uploading a file containing harmful code, which may be executed due to insufficient validation processes. Furthermore, the flaws enable attackers to escape sandbox environments, leading to the execution of untrusted code.

Specifically, the second vulnerability involves inadequate checking of file names during the upload process, allowing malicious files to be uploaded. While there have not yet been reports of these vulnerabilities being actively exploited, the potential for such actions remains high, prompting administrators to act swiftly in applying necessary updates.

The developers have released patches to mitigate these vulnerabilities in the following versions:

• Analyst: 14.0.6, 14.4.2
• AWS Marketplace: 14.4.2
• Deployment Kit Spotfire Server: 14.0.7, 14.4.2
• Desktop: 14.4.2
• Enterprise Runtime: 1.17.7, 1.22.2
• Service for Python: 1.17.7, 1.22.2
• Service for R: 1.17.7, 1.22.2
• Statistics Services: 14.0.7, 14.4.2

All previous versions remain vulnerable, highlighting the necessity for organizations to upgrade to the latest releases to safeguard their systems against potential cyber threats.