Multiple vulnerabilities in Splunk Enterprise
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2025-20388 CVE-2025-20386 CVE-2025-20385 CVE-2025-20384 CVE-2025-20382 |
| CWE-ID | CWE-918 CWE-732 CWE-79 CWE-117 CWE-601 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Splunk Enterprise Server applications / IDS/IPS systems, Firewalls and proxy servers |
| Vendor | Splunk Inc. |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Server-Side Request Forgery (SSRF)
EUVDB-ID: #VU119120
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-20388
CWE-ID:
CWE-918 - Server-Side Request Forgery (SSRF)
Exploit availability: No
DescriptionThe disclosed vulnerability allows a user attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input. A remote privileged user can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSplunk Enterprise: 9.0.0 - 10.0.1
CPE2.3- cpe:2.3:a:splunk:splunk_enterprise:9.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:9.1.10:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:9.2.9:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:9.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:9.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:10.0.1:*:*:*:*:*:*:*
https://advisory.splunk.com/advisories/SVD-2025-1207
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Incorrect permission assignment for critical resource
EUVDB-ID: #VU119119
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-20386
CWE-ID:
CWE-732 - Incorrect Permission Assignment for Critical Resource
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due incorrect permissions assignment for Windows Installation directory (by default, C:\\Program Files\\Splunk) during new installation or upgrade. A local user on the machine can access the directory and all its contents.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSplunk Enterprise: 9.0.0 - 10.0.1
CPE2.3- cpe:2.3:a:splunk:splunk_enterprise:9.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:9.1.10:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:9.2.9:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:9.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:9.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:10.0.1:*:*:*:*:*:*:*
https://advisory.splunk.com/advisories/SVD-2025-1205
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Stored cross-site scripting
EUVDB-ID: #VU119118
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-20385
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when processing the Anchor Tag "href" in Navigation Bar Collections. A remote privileged user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSplunk Enterprise: 9.0.0 - 10.0.1
CPE2.3- cpe:2.3:a:splunk:splunk_enterprise:9.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:9.1.10:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:9.2.9:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:9.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:9.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:10.0.1:*:*:*:*:*:*:*
https://advisory.splunk.com/advisories/SVD-2025-1204
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Improper Output Neutralization for Logs
EUVDB-ID: #VU119117
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-20384
CWE-ID:
CWE-117 - Improper Output Neutralization for Logs
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to manipulate application logs.
The vulnerability exists due to improper input validation at the "/en-US/static/" web endpoint. A remote non-authenticated attacker can inject American National Standards Institute (ANSI) escape codes into Splunk log files and manipulate their contents.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSplunk Enterprise: 9.0.0 - 10.0.1
CPE2.3- cpe:2.3:a:splunk:splunk_enterprise:9.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:9.1.10:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:9.2.9:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:9.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:9.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:10.0.1:*:*:*:*:*:*:*
https://advisory.splunk.com/advisories/SVD-2025-1203
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Open redirect
EUVDB-ID: #VU119116
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-20382
CWE-ID:
CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Exploit availability: No
DescriptionThe vulnerability allows a remote user to redirect victims to arbitrary URL.
The vulnerability exists due to improper sanitization of user-supplied data. A remote low-privileged user that does not hold the “admin” or “power” Splunk roles could create a views dashboard with a custom background using the data:image/png;base64 protocol that could potentially lead to an unvalidated redirect.
Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSplunk Enterprise: 9.0.0 - 10.0.1
CPE2.3- cpe:2.3:a:splunk:splunk_enterprise:9.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:9.1.10:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:9.2.9:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:9.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:9.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:10.0.1:*:*:*:*:*:*:*
https://advisory.splunk.com/advisories/SVD-2025-1201
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
