{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/metabase-enterprise/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Metabase Enterprise"],"_cs_severities":["high"],"_cs_tags":["metabase","rce","serialization","cve-2026-33725"],"_cs_type":"advisory","_cs_vendors":["Metabase"],"content_html":"\u003cp\u003eMetabase is a widely used open-source business intelligence and analytics tool. A critical vulnerability, CVE-2026-33725, affects Metabase Enterprise Edition versions prior to 1.54.22, 1.55.22, 1.56.22, 1.57.16, 1.58.10, and 1.59.4. This flaw allows authenticated administrators to execute arbitrary code and read arbitrary files. The vulnerability stems from the \u003ccode\u003ePOST /api/ee/serialization/import\u003c/code\u003e endpoint, which can be exploited by injecting a malicious \u003ccode\u003eINIT\u003c/code\u003e property into the H2 JDBC specification within a crafted serialization archive. This injected property enables the execution of arbitrary SQL commands during a database synchronization process. The vulnerability has been confirmed to be exploitable on Metabase Cloud, highlighting the broad impact of this issue. Only Metabase Enterprise is affected, as the OSS version lacks the vulnerable code paths.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates as an administrator to a vulnerable Metabase Enterprise instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious serialization archive containing an injected \u003ccode\u003eINIT\u003c/code\u003e property within the H2 JDBC spec.\u003c/li\u003e\n\u003cli\u003eThe malicious archive is submitted to the \u003ccode\u003e/api/ee/serialization/import\u003c/code\u003e endpoint via a POST request.\u003c/li\u003e\n\u003cli\u003eMetabase processes the archive, triggering the H2 JDBC driver with the injected \u003ccode\u003eINIT\u003c/code\u003e property.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eINIT\u003c/code\u003e property executes arbitrary SQL commands during a database synchronization operation.\u003c/li\u003e\n\u003cli\u003eThe attacker gains the ability to execute arbitrary code on the server hosting the Metabase instance.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the code execution to read arbitrary files on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker may use this access to exfiltrate sensitive data, pivot to other systems, or disrupt services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33725 allows attackers to gain complete control over affected Metabase Enterprise instances, potentially leading to data breaches, service disruption, and lateral movement within the network. The vulnerability affects all versions of Metabase Enterprise that have serialization, dating back to at least version 1.47, before being patched in versions 1.54.22, 1.55.22, 1.56.22, 1.57.16, 1.58.10, and 1.59.4. Given the widespread use of Metabase for business intelligence, a successful attack can expose sensitive business data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Metabase Enterprise instances to versions 1.54.22, 1.55.22, 1.56.22, 1.57.16, 1.58.10, 1.59.4, or later to patch CVE-2026-33725.\u003c/li\u003e\n\u003cli\u003eAs a temporary workaround, disable the serialization import endpoint in the Metabase instance, as recommended in the overview, to prevent access to the vulnerable code paths.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Metabase Enterprise Serialization Import Attempt\u0026quot; to monitor for attempts to exploit the vulnerability via the \u003ccode\u003e/api/ee/serialization/import\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-metabase-rce/","summary":"Authenticated administrators in vulnerable Metabase Enterprise editions can achieve Remote Code Execution (RCE) and Arbitrary File Read by injecting an `INIT` property into the H2 JDBC spec via a crafted serialization archive through the `POST /api/ee/serialization/import` endpoint.","title":"Metabase Enterprise Remote Code Execution via Serialization Import","url":"https://feed.craftedsignal.io/briefs/2024-01-metabase-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Metabase Enterprise","version":"https://jsonfeed.org/version/1.1"}