A severe vulnerability in Splunk Enterprise and Splunk Cloud Platform has been identified, allowing for Remote Code Execution (RCE) via file uploads.
This exploit can be triggered by a low-privileged user, highlighting significant security risks for affected organizations.
The vulnerability, tracked as CVE-2025-20229, has a CVSSv3.1 score of 8.0, classified as High.
The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H, indicating that the vulnerability can be exploited remotely with low complexity and privileges, but requires user interaction.
It is associated with CWE-284, which involves improper access control, and has been assigned Bug ID VULN-19218.
The issue arises from missing authorization checks when uploading files to the $SPLUNK_HOME/var/run/splunk/apptemp directory, allowing users without the “admin” or “power” roles to execute malicious code remotely.
The vulnerability arises from missing authorization checks when uploading files to the $SPLUNK_HOME/var/run/splunk/apptemp directory. This enables users without the “admin” or “power” roles to execute malicious code remotely.
Affected Products
The following Splunk products are affected by this vulnerability:
| Product | Version | Affected Version | Fix Version |
| Splunk Enterprise | 9.4 | – | 9.4.0 |
| Splunk Enterprise | 9.3 | 9.3.0 to 9.3.2 | 9.3.3 |
| Splunk Enterprise | 9.2 | 9.2.0 to 9.2.4 | 9.2.5 |
| Splunk Enterprise | 9.1 | 9.1.0 to 9.1.7 | 9.1.8 |
| Splunk Cloud Platform | 9.3.2408 | 9.3.2408.100 to 9.3.2408.103 | 9.3.2408.104 |
| Splunk Cloud Platform | 9.2.2406 | 9.2.2406.100 to 9.2.2406.107 | 9.2.2406.108 |
| Splunk Cloud Platform | 9.2.2403 | Below 9.2.2403.113 | 9.2.2403.114 |
| Splunk Cloud Platform | 9.1.2312 | Below 9.1.2312.207 | 9.1.2312.208 |
To mitigate this vulnerability, Splunk advises users to upgrade their systems to the latest secure versions.
For Splunk Enterprise, upgrading to versions 9.4.0, 9.3.3, 9.2.5, or 9.1.8 is recommended. Splunk is actively updating Splunk Cloud Platform instances to ensure their security.
The upgrade process is straightforward, and organizations are urged to prioritize these updates given the high severity of the vulnerability.
Regularly checking for updates and ensuring that systems are kept up-to-date is crucial for maintaining robust security postures.
As cybersecurity threats continue to evolve, staying informed about vulnerabilities like CVE-2025-20229 is vital for protecting sensitive data and infrastructure.
Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free.
Cisco Talos has uncovered an ongoing cyber campaign by the Gamaredon threat actor group, targeting…
Researchers have uncovered a dangerous new mobile banking Trojan dubbed Crocodilus actively targeting financial institutions…
From WannaCry to the MGM Resorts Hack, ransomware remains one of the most damaging cyberthreats…
Cybersecurity researchers have discovered a sophisticated phishing-as-a-service (PhaaS) platform, dubbed "Morphing Meerkat," that leverages DNS…
A recently identified Remote Access Trojan (RAT) has raised alarms within the cybersecurity community due…
PJobRAT, an Android Remote Access Trojan (RAT) first identified in 2019, has resurfaced in a…
