CVE-2025-20298

Published Jun 2, 2025

Last updated 7 months ago

CVSS high 8.0
Splunk Universal Forwarder
Splunk

Overview

Description
In Universal Forwarder for Windows versions below 9.4.2, 9.3.4, 9.2.6, and 9.1.9, a new installation of or an upgrade to an affected version can result in incorrect permissions assignment in the Universal Forwarder for Windows Installation directory (by default, C:\Program Files\SplunkUniversalForwarder). This lets non-administrator users on the machine access the directory and all its contents.
Source
psirt@cisco.com
NVD status
Analyzed
Products
universal_forwarder

Risk scores

CVSS 3.1

Type
Primary
Base score
8
Impact score
5.9
Exploitability score
2.1
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

psirt@cisco.com
CWE-732

Social media

Hype score
Not currently trending

  1. #CVE-2025-20298 affecting many #splunk universal forwarders: Your #LPE companion is back https://t.co/tIHNCwVYm3

    @kmkz_security

    17 Nov 2025

    15625 Impressions

    23 Retweets

    104 Likes

    41 Bookmarks

    1 Reply

    1 Quote

  2. Splunk の脆弱性 CVE-2025-20298 が FIX:重要リソースに対する不適切な権限割当 https://t.co/CcmulG6SPa Splunk Universal Forwarder for Windows

    @iototsecnews

    16 Jun 2025

    75 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🛡️ Critical flaw in Splunk Universal Forwarder for Windows (CVE-2025-20298) allows non-admins to access sensitive install files due to misconfigured permissions 🚨 Affects versions <9.4.2 Details: https://t.co/Ns7wyYGC37 #Splunk #CVE202520298 #Infosec https://t.co/9N

    @threatsbank

    3 Jun 2025

    39 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2025-20298 Splunk Universal Forwarder on Windows Permissions Vulnerability Below Specified Versions https://t.co/oDczOrhzZD

    @VulmonFeeds

    2 Jun 2025

    102 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  5. CVE-2025-20298 In Universal Forwarder for Windows versions below 9.4.2, 9.3.4, 9.2.6, and 9.1.9, a new installation of or an upgrade to an affected version can result in incorrect p… https://t.co/NvfiezaWsZ

    @CVEnew

    2 Jun 2025

    197 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.8, 9.3.9, and 9.2.12, and Splunk Cloud Platform versions below 10.2.2510.3, 10.1.2507.8, 10.0.2503.9, and 9.3.2411.121, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious payload into the `realname`, `tz`, or `email` parameters of the `/splunkd/__raw/services/authentication/users/username` REST API endpoint when they change a password. This could potentially lead to a client‑side denial‑of‑service (DoS). The malicious payload might significantly slow page load times or render Splunk Web temporarily unresponsive.CVE-2026-20139
  2. In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.9, and 9.2.11, a user of a Splunk Search Head Cluster (SHC) deployment who holds a role with access to the Splunk `_internal` index could view the `integrationKey`, `secretKey`, and `appSecretKey` secrets, generated by [Duo Two-Factor Authentication for Splunk Enterprise](https://duo.com/docs/splunk), in plain text.CVE-2026-20138
  3. In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.5, 9.3.7, and 9.2.9, and Splunk Cloud Platform versions below 10.1.2507.0, 10.0.2503.9, 9.3.2411.112, and 9.3.2408.122, a low-privileged user who does not hold the "admin" or "power" Splunk roles could bypass the SPL safeguards for risky commands when they create a Data Model that contains an injected SPL query within an object. They can bypass the safeguards by exploiting a path traversal vulnerability.CVE-2026-20137
  4. urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source.CVE-2026-21441
  5. MongoDB and MongoDB Server Improper Handling of Length Parameter Inconsistency VulnerabilityCVE-2025-14847

References

Sources include official advisories and independent security research.