Splunk Enterprise and Cloud Platform Vulnerabilities Allow Remote Code Execution and SSRF
Splunk has disclosed six critical security vulnerabilities affecting both Splunk Enterprise and Splunk Cloud Platform, exposing organizations to significant risks. The vulnerabilities include multiple cross-site scripting (XSS) flaws, an unauthenticated server-side request forgery (SSRF) vulnerability, and other weaknesses in Splunk’s web components. Two of the most notable XSS vulnerabilities are CVE-2025-20367, a reflected XSS in the /app/search/table endpoint, and CVE-2025-20368, a stored XSS in the Saved Search and Job Inspector features. Both XSS flaws can be exploited by low-privileged users to execute malicious JavaScript in the browsers of other users, potentially compromising user sessions and exposing sensitive data. The SSRF vulnerability, CVE-2025-20371, is particularly severe as it allows unauthenticated attackers to coerce Splunk into making REST API calls on behalf of authenticated high-privilege users, which could lead to further compromise of internal systems. These vulnerabilities affect multiple versions of Splunk Enterprise, specifically those below 10.0.1, 9.4.4, 9.3.6, and 9.2.8, as well as various versions of Splunk Cloud Platform. Successful exploitation of these flaws could allow attackers to gain unauthorized access, escalate privileges, and perform actions on behalf of legitimate users. Splunk has released patches addressing all six vulnerabilities and urges administrators to update their deployments immediately to mitigate the risks. The vulnerabilities highlight the importance of regular security assessments and prompt patch management in enterprise environments. Organizations using affected Splunk versions are advised to review their access logs for signs of exploitation and to apply the security updates without delay. The disclosure underscores the potential impact of web-based vulnerabilities in widely used security and analytics platforms. Security teams should also consider reviewing user permissions and monitoring for unusual activity in Splunk environments. The coordinated disclosure and rapid patching demonstrate the ongoing efforts by vendors and the security community to address critical flaws. These vulnerabilities, if left unpatched, could be leveraged in targeted attacks against organizations relying on Splunk for security monitoring and data analytics. The incident serves as a reminder of the evolving threat landscape and the need for vigilance in securing enterprise software. Splunk’s response includes detailed advisories and guidance for affected customers. The company has not reported any active exploitation in the wild at the time of disclosure, but the technical details provided could accelerate attempts by threat actors to develop exploits. Organizations are encouraged to stay informed about security advisories and to implement layered defenses to reduce the risk of compromise.
Timeline
Oct 1, 2025
Splunk begins patching cloud instances and recommends mitigations
Alongside the advisory, Splunk said it was actively patching affected Splunk Cloud Platform instances. The company also advised customers to upgrade and apply mitigations such as disabling Splunk Web when unnecessary and setting enableSplunkWebClientNetloc to false to reduce SSRF risk.
Oct 1, 2025
Splunk discloses high-severity SSRF as the most serious issue
Splunk identified CVE-2025-20371 as the most severe flaw in the October 2025 bundle, warning that an unauthenticated attacker could trigger blind SSRF and, under specific conditions, make REST API calls as a high-privileged user. The issue affected several Splunk Enterprise releases and some Splunk Cloud Platform builds.
Oct 1, 2025
Splunk releases patches for six Enterprise and Cloud Platform flaws
On 2025-10-01, Splunk issued security updates for six vulnerabilities affecting Splunk Enterprise and Splunk Cloud Platform, with severities ranging from medium to high. The fixes covered SSRF, XSS, information disclosure, XXE, and denial-of-service issues across multiple supported versions.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
Related Stories
Splunk RCE via `/splunkd/__upload/indexing/preview` and `unarchive_cmd` (CVE-2026-20163)
Splunk disclosed a high-severity **remote command execution (RCE)** vulnerability, **CVE-2026-20163** (CVSS **8.0**), affecting *Splunk Enterprise* and *Splunk Cloud Platform*. The issue is a **command injection** weakness (CWE-77) in the REST endpoint `/splunkd/__upload/indexing/preview`, where user-controlled input is insufficiently sanitized during the “uploaded file preview before indexing” workflow. Exploitation requires an authenticated user whose role includes the high-privilege capability `edit_cmd`; under that condition, an attacker can abuse the `unarchive_cmd` parameter to execute arbitrary shell commands on the underlying host. Reported affected versions include Splunk Enterprise **10.0.0–10.0.3**, **9.4.0–9.4.8**, and **9.3.0–9.3.9**, plus Splunk Cloud Platform versions below **10.2.2510.5**, **10.1.2507.16**, **10.0.2503.12**, and **9.3.2411.124**; fixed thresholds are Enterprise **10.0.4**, **9.4.9**, **9.3.10**, and **10.2.0** (with the base Enterprise **10.2** release noted as not affected). The disclosure credits researcher **Danylo Dmytriiev (DDV_UA)** along with Splunk personnel **Gabriel Nitu** and **James Ervin**.
1 months ago
Privilege Escalation Vulnerabilities in Splunk Enterprise and Universal Forwarder for Windows
Splunk has disclosed two high-severity vulnerabilities, CVE-2025-20386 and CVE-2025-20387, affecting its Enterprise and Universal Forwarder products on Windows platforms. These flaws arise from incorrect NTFS file permissions set during installation and upgrades, allowing non-administrator users to access, modify, or overwrite sensitive files within the Splunk installation directories. The vulnerabilities enable local privilege escalation, potentially allowing attackers or compromised users to gain administrative access, alter configurations, or execute malicious code under elevated privileges. No active exploitation has been reported, but the risk remains significant for unpatched systems. The vulnerabilities impact both new installations and upgrades, with affected directories containing executable binaries, configuration files, and scripts critical to Splunk's operation. Attackers with local access could replace binaries, modify configuration files, inject malicious startup scripts, or hijack supporting executables, leading to full system compromise. Splunk has released patched versions (10.0.2, 9.4.6, 9.3.8, and 9.2.10) and strongly advises customers to upgrade immediately to mitigate these risks and prevent potential privilege escalation attacks.
1 months ago
Multiple Unrelated Critical Vulnerabilities Disclosed in October 2025
A series of critical and high-severity vulnerabilities affecting a diverse set of software products were publicly disclosed in October 2025. Epsilon RH by Grupo Castilla was found to have a SQL injection vulnerability (CVE-2025-41028) that allows attackers to manipulate the database by sending crafted POST requests to the 'sEstadoUsr' parameter in the '/epsilonnetws/WSAvisos.asmx' endpoint. Lanscope Endpoint Manager (CVE-2025-61932) was reported to have an improper origin verification flaw, enabling attackers to execute arbitrary code via specially crafted packets, though remote exploitation is not possible. Galaxy Software Services Vitals ESP Forum Module (CVE-2025-31342) was discovered to allow remote authenticated users to upload dangerous files, leading to arbitrary command execution. Fsas Technologies Inc.'s ETERNUS SF (CVE-2025-62577) contains incorrect default permissions, allowing low-privileged users to obtain database credentials and potentially escalate privileges to execute OS commands as an administrator. Excellent Infotek's Document Management System (CVE-2025-11948) is vulnerable to unauthenticated arbitrary file upload, enabling attackers to deploy web shells and execute code on the server. Vvveb CMS up to version 1.0.5 is susceptible to authenticated code injection via its Code Editor, allowing attackers to modify files and achieve remote code execution. The Theme Editor plugin for WordPress (CVE-2025-9890) is vulnerable to cross-site request forgery, which can be exploited to achieve remote code execution if an administrator is tricked into clicking a malicious link. The PPOM plugin for WooCommerce (CVE-2025-11391) allows unauthenticated arbitrary file uploads, posing a severe risk to affected e-commerce sites. The Appointments plugin for WordPress (CVE-2017-20206) and the Flickr Gallery plugin (CVE-2017-20207) both suffer from unauthenticated PHP object injection vulnerabilities, which have been actively exploited to create backdoors using the WP_Theme() class. RegistrationMagic (CVE-2017-20208) is also affected by a PHP object injection flaw, allowing attackers to fetch and install remote files. Finally, BLU-IC2 and BLU-IC4 devices (CVE-2025-11925) have an API that returns an incorrect Content-Type header, potentially enabling HTML/JavaScript injection in responses. Each of these vulnerabilities presents a significant risk, with several allowing remote code execution, privilege escalation, or the installation of persistent backdoors. The affected products span web applications, content management systems, endpoint management tools, and specialized enterprise software. Security teams are advised to review the specific advisories, apply patches or mitigations where available, and monitor for signs of exploitation, as several vulnerabilities have been reported as actively exploited in the wild. The diversity and severity of these disclosures underscore the ongoing need for rigorous vulnerability management and timely response to public advisories.
1 months ago