CVE-2025-20229

Name of the Vulnerable Software and Affected Versions Splunk Enterprise versions prior to 9.3.3 Splunk Enterprise versions prior to 9.2.5 Splunk Enterprise versions prior to 9.1.8 Splunk Cloud Platform versions prior to 9.3.2408.104 Splunk Cloud Platform versions prior to 9.2.2406.108 Splunk Cloud Platform versions prior to 9.2.2403.114 Splunk Cloud Platform versions prior to 9.1.2312.208

Description A low-privileged user that does not hold the "admin" or "power" Splunk roles could perform a Remote Code Execution (RCE) through a file upload to the "$SPLUNK HOME/var/run/splunk/apptemp" directory due to missing authorization checks. This issue allows attackers to execute arbitrary code by uploading malicious files. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited.

Recommendations For Splunk Enterprise versions prior to 9.3.3, update to version 9.3.3 or later. For Splunk Enterprise versions prior to 9.2.5, update to version 9.2.5 or later. For Splunk Enterprise versions prior to 9.1.8, update to version 9.1.8 or later. For Splunk Cloud Platform versions prior to 9.3.2408.104, update to version 9.3.2408.104 or later. For Splunk Cloud Platform versions prior to 9.2.2406.108, update to version 9.2.2406.108 or later. For Splunk Cloud Platform versions prior to 9.2.2403.114, update to version 9.2.2403.114 or later. For Splunk Cloud Platform versions prior to 9.1.2312.208, update to version 9.1.2312.208 or later. As a temporary workaround, consider restricting access to the "$SPLUNK HOME/var/run/splunk/apptemp" directory until a patch is available.