CVE-2025-20370
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-01

Last updated on: 2025-10-08

Assigner: Cisco Systems, Inc.

Description
In Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a user who holds a role that contains the high-privilege capability `change_authentication`, could send multiple LDAP bind requests to a specific internal endpoint, resulting in high server CPU usage, which could potentially lead to a denial of service (DoS) until the Splunk Enterprise instance is restarted. See https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/10.0/manage-splunk-platform-users-and-roles/define-roles-on-the-splunk-platform-with-capabilities and https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/10.0/use-ldap-as-an-authentication-scheme/configure-ldap-with-splunk-web#cfe47e31_007f_460d_8b3d_8505ffc3f0dd__Configure_LDAP_with_Splunk_Web for more information.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-01
Last Modified
2025-10-08
Generated
2026-06-16
AI Q&A
2025-10-01
EPSS Evaluated
2026-06-15
NVD
CVE-2025-20370
EUVD
EUVD-2025-32717
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
splunk splunk From 9.2.0 (inc) to 9.2.8 (exc)
splunk splunk From 9.3.0 (inc) to 9.3.6 (exc)
splunk splunk From 9.4.0 (inc) to 9.4.4 (exc)
splunk splunk 10.0.0
splunk splunk_cloud_platform From 9.2.2406 (inc) to 9.2.2406.123 (exc)
splunk splunk_cloud_platform From 9.3.2408 (inc) to 9.3.2408.118 (exc)
splunk splunk_cloud_platform From 9.3.2411 (inc) to 9.3.2411.108 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in certain versions of Splunk Enterprise and Splunk Cloud Platform where a user with a role that has the high-privilege capability 'change_authentication' can send multiple LDAP bind requests to a specific internal endpoint. This causes high CPU usage on the server, potentially leading to a denial of service (DoS) until the Splunk instance is restarted.

Impact Analysis

The vulnerability can cause high CPU usage on the affected Splunk server, which may result in a denial of service (DoS). This means the Splunk Enterprise instance could become unresponsive or unavailable until it is restarted, impacting availability of the service.

Mitigation Strategies

Immediate mitigation steps include restricting or reviewing user roles that have the high-privilege capability `change_authentication` to prevent abuse, monitoring for unusual LDAP bind request activity to the internal endpoint, and upgrading Splunk Enterprise or Splunk Cloud Platform to versions 10.0.1, 9.4.4, 9.3.6, 9.2.8 or higher as applicable, where this vulnerability is fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-20370. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart