CVE-2025-20379

Name of the Vulnerable Software and Affected Versions Splunk Enterprise versions prior to 10.0.1 Splunk Enterprise versions 9.2.9 through 9.4.5 Splunk Cloud Platform versions below 9.3.2411.116 Splunk Cloud Platform versions 9.3.2408.124 and below Splunk Cloud Platform versions below 10.0.2503.5 Splunk Cloud Platform versions below 10.1.2507.1

Description A user with limited privileges in Splunk Enterprise and Splunk Cloud Platform may be able to execute commands with higher privileges. This occurs because a low-privileged user, lacking administrative or power roles, can bypass safeguards for risky commands within saved searches. The bypass is achieved through character encoding in the REST path of the /services/streams/search endpoint, specifically manipulating the q parameter. Successful exploitation requires an attacker to phish a victim into initiating a request within their browser. The authenticated user cannot exploit the issue without being tricked into initiating the request.

Recommendations Update Splunk Enterprise to version 10.0.1 or later. Update Splunk Enterprise to version 9.4.5 or later. Update Splunk Enterprise to version 9.3.7 or later. Update Splunk Enterprise to version 9.2.9 or later. Update Splunk Cloud Platform to version 9.3.2411.116 or later. Update Splunk Cloud Platform to version 9.3.2408.124 or later. Update Splunk Cloud Platform to version 10.0.2503.5 or later. Update Splunk Cloud Platform to version 10.1.2507.1 or later.