CVE-2025-20232

Name of the Vulnerable Software and Affected Versions Splunk Enterprise versions prior to 9.3.3 Splunk Enterprise versions prior to 9.2.5 Splunk Enterprise versions prior to 9.1.8 Splunk Cloud Platform versions prior to 9.3.2408.103 Splunk Cloud Platform versions prior to 9.2.2406.108 Splunk Cloud Platform versions prior to 9.2.2403.113 Splunk Cloud Platform versions prior to 9.1.2312.208 Splunk Cloud Platform versions prior to 9.1.2308.212

Description A low-privileged user could bypass SPL safeguards for risky commands on the "/app/search/search" endpoint through its s parameter, allowing them to run a saved search with a risky command using the permissions of a higher-privileged user. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser.

Recommendations For Splunk Enterprise versions prior to 9.3.3, update to version 9.3.3 or later. For Splunk Enterprise versions prior to 9.2.5, update to version 9.2.5 or later. For Splunk Enterprise versions prior to 9.1.8, update to version 9.1.8 or later. For Splunk Cloud Platform versions prior to 9.3.2408.103, update to version 9.3.2408.103 or later. For Splunk Cloud Platform versions prior to 9.2.2406.108, update to version 9.2.2406.108 or later. For Splunk Cloud Platform versions prior to 9.2.2403.113, update to version 9.2.2403.113 or later. For Splunk Cloud Platform versions prior to 9.1.2312.208, update to version 9.1.2312.208 or later. For Splunk Cloud Platform versions prior to 9.1.2308.212, update to version 9.1.2308.212 or later.