Critical security vulnerabilities reported in Spotfire AI analysis platform
Take action: First check if your Spotfire is only internal to the company and not accessible from the internet. If yes, that buys you a little time. If it's exposed to the internet, this is an urgent advisory - patch NOW. Otherwise, you have several days to plan a patch. But you still must patch.
Learn More
Cloud Software Group Inc. has remedied two critical security vulnerabilities in its Spotfire AI analysis platform products. These severe flaws could allow attackers to execute arbitrary code and compromise affected systems.
Spotfire AI are the artificial intelligence capabilities integrated into the Spotfire analytics platform, which enhance data analysis through features like predictive analytics, anomaly detection, and natural language processing. The Spotfire Copilot tool, a natural language extension, allows users to interact with data using conversational queries, making it easier to generate insights and visualizations.
Vulnerability summary
- CVE-2025-3114 (CVSS score 9.4) This vulnerability enables attackers to Create specially crafted files with embedded code that may execute without adequate security validation, potentially leading to system compromise. Alternatively, attackers can exploit a flaw in the TERR security mechanism to bypass sandbox restrictions, enabling the execution of untrusted code without appropriate controls.
- CVE-2025-3115 (CVSS score: 9.4) impacts Spotfire's Data Functions. Attackers can inject malicious code, potentially gaining control over the system executing these functions. Due to inadequate validation of filenames during file uploads attackers can upload and execute malicious files, leading to arbitrary code execution.
Attackers could potentially execute their own code remotely without authentication. The attack requires an attacker to add malicious code to a file, which is then executed due to insufficient security checks.
Successful exploitation could allow attackers to execute arbitrary code, bypass security controls, and completely compromise the affected systems.
The vulnerabilities affect Spotfire products across multiple versions, including:
- Spotfire Analyst (14.0.5 and earlier; 14.1.0 through 14.4.1)
- Spotfire Desktop (14.4.1 and earlier)
- Spotfire for AWS Marketplace (14.4.1 and earlier)
- Spotfire Enterprise Runtime for R (6.1.4 and earlier)
- Spotfire Enterprise Runtime for R - Server Edition (1.17.6 and earlier; 1.18.0 through 1.21.1)
- Spotfire Service for Python (1.17.6 and earlier; 1.18.0 through 1.21.1)
- Spotfire Service for R (1.17.6 and earlier; 1.18.0 through 1.21.1)
- Spotfire Statistics Services (14.0.6 and earlier; 14.1.0 through 14.4.1)
- Deployment Kit used in Spotfire Server (14.0.6 and earlier; 14.1.0 through 14.4.1)
Cloud Software Group has released updated versions for all affected products. Organizations should upgrade immediately to the following patched versions:
- Spotfire Analyst: upgrade to version 14.0.6 or 14.4.2 or higher
- Spotfire for AWS Marketplace: upgrade to version 14.4.2 or higher
- Spotfire Desktop: upgrade to version 14.4.2 or higher
- Spotfire Enterprise Runtime for R: upgrade to version 6.1.5 or higher
- Spotfire Enterprise Runtime for R - Server Edition: upgrade to version 1.17.7 or 1.22.2 or higher
- Spotfire Service for Python: upgrade to version 1.17.7 or 1.22.2 or higher
- Spotfire Service for R: upgrade to version 1.17.7 or 1.22.2 or higher
- Spotfire Statistics Services: upgrade to version 14.0.7 or 14.4.2 or higher
- Deployment Kit used in Spotfire Server: apply Deployment Kit in version 14.0.7 or 14.4.2 or higher
There are currently no reports of these vulnerabilities being actively exploited in the wild, but organizations should act promptly as this situation could change quickly.
