CVE-2025-20387

Published Dec 3, 2025

Last updated 3 months ago

CVSS high 8.0
Splunk

Overview

Description
In Splunk Universal Forwarder for Windows versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, a new installation of or an upgrade to an affected version can result in incorrect permissions assignment in the Universal Forwarder for Windows Installation directory. This lets non-administrator users on the machine access the directory and all its contents.
Source
psirt@cisco.com
NVD status
Analyzed
Products
splunk

Risk scores

CVSS 3.1

Type
Primary
Base score
6.5
Impact score
3.6
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Severity
MEDIUM

Weaknesses

psirt@cisco.com
CWE-732

Social media

Hype score
Not currently trending

  1. Splunk Windows版に高リスクの脆弱性(CVE-2025-20386,CVE-2025-20387) EnterpriseとUniversal Forwarderの両方が対象に https://t.co/Fr0MnWJaBZ #セキュリティ対策Lab #セキュリティ #Security #サイバー攻撃

    @securityLab_jp

    9 Dec 2025

    11 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨 Splunk admins: URGENT patch required! CVE-2025-20386 & CVE-2025-20387 allow local privilege escalation to SYSTEM on Windows due to lax file permissions CVSS: 8.0 | Impact: Full SIEM compromise https://t.co/eapppt7jLF #CyberSecurity #Splunk #InfoSec https://t.co/bZKRls4

    @nxtgen579255

    8 Dec 2025

    62 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  3. Splunk EnterpriseとUniversal ForwarderのWindows版で、インストール時の誤った権限設定により特権昇格につながる深刻な欠陥が判明した(CVE-2025-20386,CVE-2025-20387)。非管理者でも機密ディレクトリへアクセスできる状態と

    @yousukezan

    5 Dec 2025

    2266 Impressions

    7 Retweets

    21 Likes

    9 Bookmarks

    0 Replies

    1 Quote

  4. CVE-2025-20387 Splunk Universal Forwarder Windows Privilege Escalation via Incorrect Permissions https://t.co/1ILYIEzjdd

    @VulmonFeeds

    3 Dec 2025

    18 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. CVE-2025-20387 In Splunk Universal Forwarder for Windows versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, a new installation of or an upgrade to an affected version can result in in… https://t.co/a4KUXGyoMu

    @CVEnew

    3 Dec 2025

    120 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.8, and 9.2.11, and Splunk Cloud Platform versions below 10.2.2510.0, 10.1.2507.11, 10.0.2503.9, and 9.3.2411.120, a user of a Splunk Search Head Cluster (SHC) deployment who holds a role with access to the the Splunk _internal index could view the Security Assertion Markup Language (SAML) configurations for Attribute query requests (AQRs) or Authentication extensions in plain text within the conf.log file, depending on which feature is configured.CVE-2026-20144
  2. In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.9, and 9.2.11, a user of a Splunk Search Head Cluster (SHC) deployment who holds a role with access to the Splunk `_internal` index could view the RSA `accessKey` value from the [<u>Authentication.conf</u> ](https://help.splunk.com/en/splunk-enterprise/administer/admin-manual/10.2/configuration-file-reference/10.2.0-configuration-file-reference/authentication.conf)file, in plain text.CVE-2026-20142
  3. In Splunk Enterprise versions below 10.0.2, 10.0.3, 9.4.8, and 9.3.9, a low-privileged user who does not hold the "admin" Splunk role could access the Splunk Monitoring Console App endpoints due to an improper access control. This could lead to a sensitive information disclosure.<br><br>The Monitoring Console app is a bundled app that comes with Splunk Enterprise. It is not available for download on SplunkBase, and is not installed on Splunk Cloud Platform instances. This vulnerability does not affect [Cloud Monitoring Console](https://help.splunk.com/en/splunk-cloud-platform/administer/admin-manual/10.2.2510/monitor-your-splunk-cloud-platform-deployment/introduction-to-the-cloud-monitoring-console).CVE-2026-20141
  4. In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.8, 9.3.9, and 9.2.12, and Splunk Cloud Platform versions below 10.2.2510.3, 10.1.2507.8, 10.0.2503.9, and 9.3.2411.121, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious payload into the `realname`, `tz`, or `email` parameters of the `/splunkd/__raw/services/authentication/users/username` REST API endpoint when they change a password. This could potentially lead to a client‑side denial‑of‑service (DoS). The malicious payload might significantly slow page load times or render Splunk Web temporarily unresponsive.CVE-2026-20139
  5. In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.9, and 9.2.11, a user of a Splunk Search Head Cluster (SHC) deployment who holds a role with access to the Splunk `_internal` index could view the `integrationKey`, `secretKey`, and `appSecretKey` secrets, generated by [Duo Two-Factor Authentication for Splunk Enterprise](https://duo.com/docs/splunk), in plain text.CVE-2026-20138

References

Sources include official advisories and independent security research.