CVE-2025-20324
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-07

Last updated on: 2025-07-21

Assigner: Cisco Systems, Inc.

Description
In Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.7, and 9.1.10 and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, a low-privileged user that does not hold the "admin" or "power" Splunk roles could create or overwrite [system source type](https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.2/configure-source-types/create-source-types) configurations by sending a specially-crafted payload to the `/servicesNS/nobody/search/admin/sourcetypes/` REST endpoint on the Splunk management port.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-07
Last Modified
2025-07-21
Generated
2026-05-07
AI Q&A
2025-07-07
EPSS Evaluated
2026-05-05
NVD
CVE-2025-20324
EUVD
EUVD-2025-20302
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
splunk splunk From 9.1.0 (inc) to 9.1.10 (exc)
splunk splunk From 9.2.0 (inc) to 9.2.7 (exc)
splunk splunk From 9.3.0 (inc) to 9.3.5 (exc)
splunk splunk From 9.4.0 (inc) to 9.4.2 (exc)
splunk splunk_cloud_platform From 9.2.2406 (inc) to 9.2.2406.119 (exc)
splunk splunk_cloud_platform From 9.3.2408 (inc) to 9.3.2408.113 (exc)
splunk splunk_cloud_platform From 9.3.2411 (inc) to 9.3.2411.104 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-20324 is an improper access control vulnerability in Splunk Enterprise and Splunk Cloud Platform. It allows a low-privileged user who does not have 'admin' or 'power' roles to create or overwrite system source type configurations by sending a specially crafted payload to a specific REST endpoint (/servicesNS/nobody/search/admin/sourcetypes/) on the Splunk management port. This can be done remotely over the network without user interaction. [1]


How can this vulnerability impact me? :

This vulnerability can impact you by allowing unauthorized users with low privileges to modify system source type configurations in Splunk. This could lead to potential data integrity issues or misconfiguration, as unauthorized changes to source types might affect how data is ingested or processed. However, the impact on confidentiality and integrity is considered low, and there is no impact on availability. [1]


What immediate steps should I take to mitigate this vulnerability?

The immediate step to mitigate this vulnerability is to upgrade Splunk Enterprise to version 9.4.2 or later, or Splunk Cloud Platform to the corresponding patched versions 9.3.2411.104, 9.3.2408.113, or 9.2.2406.119. No other mitigations or workarounds are available. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart