CVE-2025-20322
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-07

Last updated on: 2025-07-21

Assigner: Cisco Systems, Inc.

Description
In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, an unauthenticated attacker could send a specially-crafted SPL search command that could trigger a rolling restart in the Search Head Cluster through a Cross-Site Request Forgery (CSRF), potentially leading to a denial of service (DoS).<br><br>The vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will.<br><br>See [How rolling restart works](https://docs.splunk.com/Documentation/Splunk/9.4.2/DistSearch/RestartSHC) for more information.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-07
Last Modified
2025-07-21
Generated
2026-05-07
AI Q&A
2025-07-07
EPSS Evaluated
2026-05-05
NVD
CVE-2025-20322
EUVD
EUVD-2025-20297
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
splunk splunk From 9.1.0 (inc) to 9.1.10 (exc)
splunk splunk From 9.2.0 (inc) to 9.2.7 (exc)
splunk splunk From 9.3.0 (inc) to 9.3.5 (exc)
splunk splunk From 9.4.0 (inc) to 9.4.3 (exc)
splunk splunk_cloud_platform From 9.2.2406 (inc) to 9.2.2406.119 (exc)
splunk splunk_cloud_platform From 9.3.2408 (inc) to 9.3.2408.113 (exc)
splunk splunk_cloud_platform From 9.3.2411 (inc) to 9.3.2411.104 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-20322 is a medium-severity vulnerability in Splunk Enterprise and Splunk Cloud Platform that allows an unauthenticated attacker to cause a denial of service (DoS) by sending a specially crafted SPL search command. This command triggers a rolling restart of the Search Head Cluster via a Cross-Site Request Forgery (CSRF) attack. The attacker must phish an administrator-level user to initiate the malicious request in their browser, as the attack requires user interaction and cannot be executed at will. [1]


How can this vulnerability impact me? :

This vulnerability can disrupt your Splunk service by causing a rolling restart of the Search Head Cluster, leading to a denial of service (DoS). This disruption can affect availability and continuity of your Splunk environment, especially if Search Head Clustering is enabled and Splunk Web is active. The attacker cannot exploit this without tricking an administrator-level user, but successful exploitation can interrupt normal operations. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

No detection methods are currently provided for this vulnerability. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include upgrading Splunk Enterprise to versions 9.4.3, 9.3.5, 9.2.7, or 9.1.10, or upgrading Splunk Cloud Platform to the corresponding fixed versions 9.3.2411.104, 9.3.2408.113, or 9.2.2406.119. As a workaround, disabling Splunk Web can prevent exploitation of this vulnerability. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart