CVE-2025-20325
BaseFortify
Publication date: 2025-07-07
Last updated on: 2025-08-01
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| splunk | splunk | From 9.1.0 (inc) to 9.1.10 (exc) |
| splunk | splunk | From 9.2.0 (inc) to 9.2.7 (exc) |
| splunk | splunk | From 9.3.0 (inc) to 9.3.5 (exc) |
| splunk | splunk | From 9.4.0 (inc) to 9.4.3 (exc) |
| splunk | splunk_cloud_platform | From 9.2.2406 (inc) to 9.2.2406.119 (exc) |
| splunk | splunk_cloud_platform | From 9.3.2408 (inc) to 9.3.2408.113 (exc) |
| splunk | splunk_cloud_platform | From 9.3.2411 (inc) to 9.3.2411.103 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability (CVE-2025-20325) affects certain versions of Splunk Enterprise and Splunk Cloud Platform. It involves the potential exposure of the search head cluster's splunk.secret key if the SHCConfig log channel is configured at the DEBUG logging level in a clustered deployment. An attacker would need either local access to log files or administrative access to internal indexes (which are typically restricted to admin roles) to exploit this. The exposure happens because sensitive information is logged at the DEBUG level, which can reveal the secret key. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability could lead to the disclosure of the search head cluster's splunk.secret key, which is sensitive information. This could potentially allow an attacker with the required access to compromise the security of the search head cluster. However, the vulnerability has a low severity score (CVSS 3.1 score of 3.1), requires either local or admin-level access, and does not impact integrity or availability. If the SHCConfig log channel is not set to DEBUG or if a Search Head cluster is not used, the impact is informational only. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability, verify if your Splunk deployment uses a Search Head cluster and if the SHCConfig log channel is set to DEBUG logging level. This can be checked via the Server Logging Settings page in Splunk Web at /en-US/manager/system/server/logger. There are no specific commands provided in the resources, but checking the logging configuration for SHCConfig at DEBUG level is key. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Splunk Enterprise to versions 9.4.3, 9.3.5, 9.2.7, 9.1.10 or higher, or the corresponding fixed versions of Splunk Cloud Platform. If upgrading is not feasible, reduce the SHCConfig log channel logging level below DEBUG and update the splunk.secret key file to use a new cipher. Additionally, review and restrict internal index access to administrator-level roles only. [1]