CVE-2025-20321
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-07

Last updated on: 2025-07-21

Assigner: Cisco Systems, Inc.

Description
In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.114, and 9.2.2406.119, an unauthenticated attacker can send a specially-crafted SPL search that could change the membership state in a Splunk Search Head Cluster (SHC) through a Cross-Site Request Forgery (CSRF), potentially leading to the removal of the captain or a member of the SHC.<br><br>The vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-07
Last Modified
2025-07-21
Generated
2026-05-07
AI Q&A
2025-07-07
EPSS Evaluated
2026-05-05
NVD
CVE-2025-20321
EUVD
EUVD-2025-20295
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
splunk splunk From 9.1.0 (inc) to 9.1.10 (exc)
splunk splunk From 9.2.0 (inc) to 9.2.7 (exc)
splunk splunk From 9.3.0 (inc) to 9.3.5 (exc)
splunk splunk From 9.4.0 (inc) to 9.4.3 (exc)
splunk splunk_cloud_platform From 9.2.2406 (inc) to 9.2.2406.119 (exc)
splunk splunk_cloud_platform From 9.3.2408 (inc) to 9.3.2408.114 (exc)
splunk splunk_cloud_platform From 9.3.2411 (inc) to 9.3.2411.104 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-20321 is a medium-severity Cross-Site Request Forgery (CSRF) vulnerability in Splunk Enterprise and Splunk Cloud Platform versions prior to certain fixed releases. An unauthenticated attacker can send a specially crafted SPL search request that can change the membership state of a Splunk Search Head Cluster (SHC), potentially removing the SHC captain or a cluster member. Exploitation requires phishing an administrator-level user to trick them into initiating the malicious request via their browser. The attacker cannot exploit this vulnerability arbitrarily without user interaction. [1]


How can this vulnerability impact me? :

This vulnerability can impact you by allowing an attacker to manipulate the membership state of your Splunk Search Head Cluster, potentially removing the captain or a member of the cluster. This could disrupt cluster operations and availability. However, exploitation requires phishing an administrator-level user, so the risk depends on the ability of an attacker to trick such a user. If Search Head Clustering is not enabled, the impact is informational only. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

No specific detection methods or commands are provided for this vulnerability in the available resources. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include upgrading Splunk Enterprise to versions 9.4.3, 9.3.5, 9.2.7, or 9.1.10, or upgrading Splunk Cloud Platform to versions 9.3.2411.104, 9.3.2408.114, or 9.2.2406.119. As a workaround, disabling Splunk Web can reduce the risk of exploitation. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart