CVE-2025-20321

Name of the Vulnerable Software and Affected Versions: Splunk Enterprise versions prior to 9.4.3 Splunk Enterprise versions prior to 9.3.5 Splunk Enterprise versions prior to 9.2.7 Splunk Enterprise versions prior to 9.1.10 Splunk Cloud Platform versions prior to 9.3.2411.104 Splunk Cloud Platform versions prior to 9.3.2408.114 Splunk Cloud Platform versions prior to 9.2.2406.119

Description: The issue allows an unauthenticated attacker to send a specially-crafted SPL search that could change the membership state in a Splunk Search Head Cluster (SHC) through a Cross-Site Request Forgery (CSRF), potentially leading to the removal of the captain or a member of the SHC. The vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser.

Recommendations: For Splunk Enterprise versions prior to 9.4.3, update to version 9.4.3 or later. For Splunk Enterprise versions prior to 9.3.5, update to version 9.3.5 or later. For Splunk Enterprise versions prior to 9.2.7, update to version 9.2.7 or later. For Splunk Enterprise versions prior to 9.1.10, update to version 9.1.10 or later. For Splunk Cloud Platform versions prior to 9.3.2411.104, update to version 9.3.2411.104 or later. For Splunk Cloud Platform versions prior to 9.3.2408.114, update to version 9.3.2408.114 or later. For Splunk Cloud Platform versions prior to 9.2.2406.119, update to version 9.2.2406.119 or later.