Urgent: Major Splunk Vulnerabilities Impacting Various Versions

Splunk Unveils Critical Security Vulnerabilities in Enterprise and Cloud Platforms

Splunk recently announced the discovery of six significant security vulnerabilities affecting various versions of Splunk Enterprise and the Splunk Cloud Platform. These vulnerabilities expose weaknesses in the web components of Splunk’s software, allowing potential attackers to execute unauthorized JavaScript remotely, access sensitive data, and carry out server-side request forgery (SSRF) attacks. The implications of these security flaws are serious, warranting immediate attention from users and administrators.

Highlighting Key Cross-Site Scripting (XSS) Vulnerabilities

Among the most notable vulnerabilities are two critical cross-site scripting (XSS) flaws. The first, identified as CVE-2025-20367, is a reflected XSS vulnerability found within the /app/search/table endpoint, rated with a CVSS score of 5.7. This flaw can be exploited by low-privileged users, specifically those without administrative or power roles, enabling them to create malicious payloads using the dataset.command parameter. Such an attack can compromise the sessions of other users and lead to unauthorized access to sensitive information.

The second XSS issue, categorized as CVE-2025-20368, involves stored XSS stemming from absent field warning messages in the Saved Search and Job Inspector functionalities. Similar to the first, this vulnerability allows low-privileged users to inject harmful code, presenting a significant risk across affected versions of Splunk.

Addressing Server-Side Request Forgery and Denial of Service

One particularly alarming vulnerability is CVE-2025-20371, which represents an unauthenticated blind SSRF flaw impacting Splunk Enterprise versions below 10.0.1 and several Splunk Cloud Platform versions. With a CVSS score of 7.5, this vulnerability could allow attackers to compel Splunk to make REST API calls as authenticated high-privilege users. Exploiting this vulnerability generally depends on the enableSplunkWebClientNetloc setting being activated (set to true) in the web.conf configuration. Attackers might also need to use phishing techniques to deceive victims into initiating the request.

An additional concern is a denial of service (DoS) vulnerability designated CVE-2025-20370. This flaw enables users with the change_authentication privilege to bombard the server with multiple LDAP bind requests, overwhelming the CPU and forcing a restart of the affected instance, which carries a medium severity score of 4.9.

Further issues contributing to the vulnerability landscape include:

• CVE-2025-20369: This vulnerability allows XML External Entity (XXE) injection through the dashboard label field, which might lead to DoS attacks.
• CVE-2025-20366: This highlights improper access control in background job submissions, enabling low-privileged users to gain access to sensitive search results by guessing unique search job IDs.

Updates on Third-Party Package Vulnerabilities

Splunk has also tackled several vulnerabilities stemming from third-party packages integrated within Splunk Enterprise. Updates conducted on the same day affect versions 10.0.1, 9.4.4, 9.3.6, and 9.2.8 and beyond. Significant changes consist of:

• The removal of vulnerable packages such as protobuf-java and webpack.
• Upgrades of mongod to version 7.0.14 and curl to version 8.14.1, addressing multiple high-severity CVEs.
• Patching of libxml2 against CVE-2025-32415.
• Upgrading jackson-core to v2.15.0 and mongotools to 100.12.1.

These updates are crucial as they directly target vulnerabilities that attackers could exploit for remote code execution or other malicious activity.

Recommendations for Mitigation and Patching

To effectively combat the identified vulnerabilities, Splunk strongly advises users to upgrade their affected instances to the following recommended versions:

• Splunk Enterprise: Upgrade to versions 10.0.1, 9.4.4, 9.3.6, or 9.2.8 or higher.
• Splunk Cloud Platform: Managed patching is actively undertaken by Splunk.

For situations where immediate upgrades are not possible, consider implementing these mitigative measures:

• Disabling Splunk Web to reduce risk for vulnerabilities associated with its components.
• Turning off the enableSplunkWebClientNetloc setting to mitigate SSRF risks.
• Limiting high-privilege roles, such as change_authentication, to thwart possible DoS exploits.

Currently, no specific detection signatures exist for these vulnerabilities, making proactive measures vital for user security.