Multiple vulnerabilities in Splunk Enterprise
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2025-20227 CVE-2025-20226 CVE-2025-20232 CVE-2025-20228 CVE-2025-20229 |
| CWE-ID | CWE-20 CWE-200 CWE-352 CWE-434 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Splunk Enterprise Server applications / IDS/IPS systems, Firewalls and proxy servers |
| Vendor | Splunk Inc. |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU106067
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-20227
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied input. A remote unprivileged user can bypass the external content warning modal dialog box in Dashboard Studio dashboards.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSplunk Enterprise: 9.0.0 - 9.4.0
CPE2.3- cpe:2.3:a:splunk:splunk_enterprise:9.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:9.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:9.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:9.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:splunk:splunk_enterprise:9.4.0:*:*:*:*:*:*:*
https://advisory.splunk.com/advisories/SVD-2025-0306
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU106066
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-20226
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the "/services/streams/search" endpoint. A remote attacker can trick the victim into initiating a request within their browser and gain access to sensitive information.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSplunk Enterprise: 9.0.0 - 9.4.0
CPE2.3https://advisory.splunk.com/advisories/SVD-2025-0305
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Information disclosure
EUVDB-ID: #VU106065
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-20232
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the "/app/search/search" endpoint. A remote attacker can trick the victim into initiating a request within their browser and gain access to sensitive information.
Install updates from vendor's website.
Vulnerable software versionsSplunk Enterprise: 9.0.0 - 9.3.2
CPE2.3https://advisory.splunk.com/advisories/SVD-2025-0304
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Cross-site request forgery
EUVDB-ID: #VU106064
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-20228
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website and change the maintenance mode state of App Key Value Store (KVStore).
MitigationInstall updates from vendor's website.
Vulnerable software versionsSplunk Enterprise: 9.0.0 - 9.3.2
CPE2.3https://advisory.splunk.com/advisories/SVD-2025-0303
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Arbitrary file upload
EUVDB-ID: #VU106063
Risk: Medium
CVSSv4.0: 6.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-20229
CWE-ID:
CWE-434 - Unrestricted Upload of File with Dangerous Type
Exploit availability: No
DescriptionThe vulnerability allows a remote user to compromise vulnerable system.
The vulnerability exists due to insufficient validation of file during file upload. A remote unprivileged user can upload a malicious file into the "$SPLUNK_HOME/var/run/splunk/apptemp" directory and execute it on the server.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSplunk Enterprise: 9.0.0 - 9.3.2
CPE2.3https://advisory.splunk.com/advisories/SVD-2025-0301
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
