Privilege Escalation Vulnerabilities in Splunk Enterprise and Universal Forwarder for Windows
Splunk has disclosed two high-severity vulnerabilities, CVE-2025-20386 and CVE-2025-20387, affecting its Enterprise and Universal Forwarder products on Windows platforms. These flaws arise from incorrect NTFS file permissions set during installation and upgrades, allowing non-administrator users to access, modify, or overwrite sensitive files within the Splunk installation directories. The vulnerabilities enable local privilege escalation, potentially allowing attackers or compromised users to gain administrative access, alter configurations, or execute malicious code under elevated privileges. No active exploitation has been reported, but the risk remains significant for unpatched systems.
The vulnerabilities impact both new installations and upgrades, with affected directories containing executable binaries, configuration files, and scripts critical to Splunk's operation. Attackers with local access could replace binaries, modify configuration files, inject malicious startup scripts, or hijack supporting executables, leading to full system compromise. Splunk has released patched versions (10.0.2, 9.4.6, 9.3.8, and 9.2.10) and strongly advises customers to upgrade immediately to mitigate these risks and prevent potential privilege escalation attacks.
Timeline
Dec 10, 2025
Public reporting details CVE-2025-20386 and CVE-2025-20387 in Splunk Enterprise
Subsequent public coverage identified Splunk Enterprise vulnerabilities as CVE-2025-20386 and CVE-2025-20387, adding technical identification for the disclosed issues. This reporting appears to describe the same disclosure rather than a separate incident.
Dec 8, 2025
Splunk discloses Windows privilege-escalation flaw in Enterprise and Forwarder
A high-severity local privilege-escalation vulnerability affecting Splunk Enterprise and Splunk Universal Forwarder on Windows was publicly disclosed. The issue stems from incorrect NTFS permissions applied during installation or upgrades, allowing non-admin local users to tamper with files loaded by Splunk services and potentially gain NT AUTHORITY\SYSTEM privileges.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
Splunk Enterprise and Cloud Platform Vulnerabilities Allow Remote Code Execution and SSRF
Splunk has disclosed six critical security vulnerabilities affecting both Splunk Enterprise and Splunk Cloud Platform, exposing organizations to significant risks. The vulnerabilities include multiple cross-site scripting (XSS) flaws, an unauthenticated server-side request forgery (SSRF) vulnerability, and other weaknesses in Splunk’s web components. Two of the most notable XSS vulnerabilities are CVE-2025-20367, a reflected XSS in the /app/search/table endpoint, and CVE-2025-20368, a stored XSS in the Saved Search and Job Inspector features. Both XSS flaws can be exploited by low-privileged users to execute malicious JavaScript in the browsers of other users, potentially compromising user sessions and exposing sensitive data. The SSRF vulnerability, CVE-2025-20371, is particularly severe as it allows unauthenticated attackers to coerce Splunk into making REST API calls on behalf of authenticated high-privilege users, which could lead to further compromise of internal systems. These vulnerabilities affect multiple versions of Splunk Enterprise, specifically those below 10.0.1, 9.4.4, 9.3.6, and 9.2.8, as well as various versions of Splunk Cloud Platform. Successful exploitation of these flaws could allow attackers to gain unauthorized access, escalate privileges, and perform actions on behalf of legitimate users. Splunk has released patches addressing all six vulnerabilities and urges administrators to update their deployments immediately to mitigate the risks. The vulnerabilities highlight the importance of regular security assessments and prompt patch management in enterprise environments. Organizations using affected Splunk versions are advised to review their access logs for signs of exploitation and to apply the security updates without delay. The disclosure underscores the potential impact of web-based vulnerabilities in widely used security and analytics platforms. Security teams should also consider reviewing user permissions and monitoring for unusual activity in Splunk environments. The coordinated disclosure and rapid patching demonstrate the ongoing efforts by vendors and the security community to address critical flaws. These vulnerabilities, if left unpatched, could be leveraged in targeted attacks against organizations relying on Splunk for security monitoring and data analytics. The incident serves as a reminder of the evolving threat landscape and the need for vigilance in securing enterprise software. Splunk’s response includes detailed advisories and guidance for affected customers. The company has not reported any active exploitation in the wild at the time of disclosure, but the technical details provided could accelerate attempts by threat actors to develop exploits. Organizations are encouraged to stay informed about security advisories and to implement layered defenses to reduce the risk of compromise.
1 months ago
Splunk RCE via `/splunkd/__upload/indexing/preview` and `unarchive_cmd` (CVE-2026-20163)
Splunk disclosed a high-severity **remote command execution (RCE)** vulnerability, **CVE-2026-20163** (CVSS **8.0**), affecting *Splunk Enterprise* and *Splunk Cloud Platform*. The issue is a **command injection** weakness (CWE-77) in the REST endpoint `/splunkd/__upload/indexing/preview`, where user-controlled input is insufficiently sanitized during the “uploaded file preview before indexing” workflow. Exploitation requires an authenticated user whose role includes the high-privilege capability `edit_cmd`; under that condition, an attacker can abuse the `unarchive_cmd` parameter to execute arbitrary shell commands on the underlying host. Reported affected versions include Splunk Enterprise **10.0.0–10.0.3**, **9.4.0–9.4.8**, and **9.3.0–9.3.9**, plus Splunk Cloud Platform versions below **10.2.2510.5**, **10.1.2507.16**, **10.0.2503.12**, and **9.3.2411.124**; fixed thresholds are Enterprise **10.0.4**, **9.4.9**, **9.3.10**, and **10.2.0** (with the base Enterprise **10.2** release noted as not affected). The disclosure credits researcher **Danylo Dmytriiev (DDV_UA)** along with Splunk personnel **Gabriel Nitu** and **James Ervin**.
1 months ago
Local Privilege Escalation Vulnerabilities in Windows Management Tools
A critical vulnerability in the JumpCloud Remote Assist for Windows agent (CVE-2025-34352) allows a standard user on a company-managed device to gain full, persistent SYSTEM-level control. The flaw, discovered by XM Cyber, arises from the agent's uninstallation process, which performs privileged file operations in a user-controlled temporary folder. This enables local users to exploit the uninstall routine to overwrite or delete sensitive system files, resulting in either local privilege escalation or denial of service. Over 180,000 organizations using JumpCloud are potentially at risk until the issue is remediated. Separately, Microsoft’s Windows Admin Center (WAC) is affected by a local privilege escalation vulnerability (CVE-2025-64669) due to insecure directory permissions on `C:\ProgramData\WindowsAdminCenter`. Standard users can write to this directory, which is also accessed by services running with elevated privileges, allowing attackers to exploit extension uninstall mechanisms or DLL hijacking to obtain SYSTEM-level access. Both vulnerabilities highlight the risks posed by improper privilege separation and insecure file system permissions in widely deployed Windows management tools.
1 months ago