CVE-2025-20231

Published Mar 26, 2025

Last updated 9 months ago

CVSS high 7.1
Splunk

Overview

Description
In Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8, and versions below 3.8.38 and 3.7.23 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could run a search using the permissions of a higher-privileged user that could lead to disclosure of sensitive information.<br><br>The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated low-privileged user should not be able to exploit the vulnerability at will.
Source
psirt@cisco.com
NVD status
Analyzed
Products
splunk, splunk_secure_gateway

Risk scores

CVSS 3.1

Type
Primary
Base score
5.7
Impact score
3.6
Exploitability score
2.1
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Severity
MEDIUM

Weaknesses

psirt@cisco.com
CWE-532

Social media

Hype score
Not currently trending

  1. 🚨 CVE-2025-20231 🔴 HIGH (7.1) 🏢 Splunk - Splunk Enterprise 🏗️ 9.4 🔗 https://t.co/rC0AMopJ9z #CyberCron #VulnAlert #InfoSec https://t.co/v8ZuldvjnI

    @cybercronai

    28 Mar 2025

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Critical vulnerabilities in Splunk Enterprise and Cloud have been patched, addressing RCE and data leak risks (CVE-2025-20229, CVE-2025-20231). Organizations advised to check user access controls. 🛡️🔒 #Splunk #DataSecurity #USA link: https://t.co/eV3lC4exvt https://t.co/D7YyKk

    @TweetThreatNews

    27 Mar 2025

    106 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  3. Protect your systems from CVE-2025-20231, apply latest updates for enhanced security

    @LeBraunneZen

    27 Mar 2025

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2025-20229 and CVE-2025-20231 impacts Splunk #Splunk #CVE-2025-20229 #CVE-2025-20231 https://t.co/4GQfmAvjLE

    @pravin_karthik

    27 Mar 2025

    25 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. CVE-2025-20231 detected, apply system updates immediately

    @LeBraunneZen

    27 Mar 2025

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. CVE-2025-20231 detected, apply system updates to prevent threats

    @LeBraunneZen

    27 Mar 2025

    8 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. Splunkは、2件の高深刻度脆弱性(CVE-2025-20229およびCVE-2025-20231)に対するセキュリティアップデートを公開した。 CVE-2025-20229は、Splunk EnterpriseおよびSplunk Cloud Platformに影響するリモートコード実行脆弱性。

    @yousukezan

    27 Mar 2025

    3004 Impressions

    4 Retweets

    18 Likes

    5 Bookmarks

    0 Replies

    2 Quotes

  8. Splunk Alert: RCE (CVE-2025-20229) and Data Leak (CVE-2025-20231) Vulnerabilities Threaten Platforms Splunk has released a security advisory detailing critical vulnerabilities affecting Splunk Enterprise and Splunk Cloud Platform. https://t.co/dnN9gD5QmW

    @the_yellow_fall

    27 Mar 2025

    734 Impressions

    4 Retweets

    13 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  9. Enhance security now: CVE-2025-20231 detected, apply latest system updates to prevent potential threats

    @LeBraunneZen

    27 Mar 2025

    8 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. �� CVE-2025-20231 - Splunk Enterprise - HIGH 🚨 🗓️ Date published 2025-03-26 22:15:15 UTC #SplunkEnterprise #CyberSecurity #InfoSec #Vulnerability #TechNews https://t.co/5rSc22YT2V

    @vulns_space

    26 Mar 2025

    17 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles, has write permission on the app, and does not hold the high-privilege capability `accelerate_datamodel`, could turn on or off Data Model Acceleration due to improper access control.CVE-2026-20203
  2. In Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles could potentially perform a Remote Code Execution (RCE) by uploading a malicious file to the `$SPLUNK_HOME/var/run/splunk/apptemp` directory due to improper handling and insufficient isolation of temporary files within the `apptemp` directory.CVE-2026-20204
  3. In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.20, 10.0.2503.13, and 9.3.2411.127, a user who holds a role that contains the high-privilege capability `edit_user`could create a specially crafted username that includes a null byte or a non-UTF-8 percent-encoded byte due to improper input validation.<br><br>This could lead to inconsistent conversion of usernames into a proper format for storage and account management inconsistencies, such as being unable to edit or delete affected users.CVE-2026-20202
  4. In Splunk Enterprise versions below 10.2.1 and 10.0.4, and Splunk Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, and 10.0.2503.12, a low-privileged user that does not hold the "admin" or "power" Splunk roles could retrieve the Observability Cloud API access token through the Discover Splunk Observability Cloud app due to improper access control. This vulnerability does not affect Splunk Enterprise versions below 9.4.9 and 9.3.10 because the Discover Splunk Observability Cloud app does not come with Splunk Enterprise.CVE-2026-20166
  5. In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.9, and 9.3.9, and Splunk Cloud Platform versions below 10.2.2510.4, 10.1.2507.15, 10.0.2503.11, and 9.3.2411.123, a low-privileged user who does not hold the "admin" or "power" Splunk roles could craft a malicious payload when creating a View (Settings - User Interface - Views) at the `/manager/launcher/data/ui/views/_new` endpoint leading to a Stored Cross-Site Scripting (XSS) through a path traversal vulnerability. This could result in execution of unauthorized JavaScript code in the browser of a user. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will.CVE-2026-20162

References

Sources include official advisories and independent security research.