Splunk has disclosed six critical security vulnerabilities affecting multiple versions of both Splunk Enterprise and Splunk Cloud Platform. These flaws expose the platform's web components to attacks that could lead to unauthorized code execution, sensitive data access, and server-side request forgery (SSRF).
Key Vulnerabilities Revealed
The reported flaws include several high-risk issues:
- Server-Side Request Forgery (SSRF): The most severe flaw is CVE-2025-20371 (CVSS 7.5), an unauthenticated blind SSRF vulnerability. This allows attackers to trick Splunk into making REST API calls on behalf of authenticated high-privilege users. Exploitation typically requires phishing the user and depends on a specific configuration setting being enabled.
- Cross-Site Scripting (XSS): Two flaws (CVE-2025-20367 and CVE-2025-20368) allow low-privileged users to inject and execute malicious JavaScript code. This XSS could compromise other user sessions and expose sensitive data.
- Improper Access Control (CVE−2025−20366): Low-privileged users can guess unique search job IDs to gain unauthorized access to sensitive search results.
- Denial of Service (DoS): Two vulnerabilities could lead to service disruption. CVE-2025-20370 allows users with the change_authentication privilege to overwhelm the server with LDAP requests, forcing a restart. CVE-2025-20369 involves XML External Entity (XXE) injection that can trigger a DoS attack.
Third-Party Component Updates
Splunk also addressed multiple vulnerabilities stemming from vulnerable third-party packages used in Splunk Enterprise. These updates involved removing flawed packages (like protobuf-java and webpack) and upgrading essential components (like mongod and curl) to patch high-severity issues that could have led to remote code execution.
Mitigation and Action
Splunk strongly recommends users upgrade immediately to the fixed versions: 10.0.1, 9.4.4, 9.3.6, or 9.2.8 and higher for Splunk Enterprise. Splunk Cloud Platform is being actively patched by the company.
Where immediate upgrades aren't possible, temporary mitigations include disabling Splunk Web to reduce attack surface and turning off the enableSplunkWebClientNetloc setting to reduce SSRF risk.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
