CVE-2025-20379
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-12

Last updated on: 2025-12-03

Assigner: Cisco Systems, Inc.

Description
In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, and 9.2.9 and Splunk Cloud Platform versions below 9.3.2411.116, 9.3.2408.124, 10.0.2503.5 and 10.1.2507.1, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could run a saved search with a risky command using the permissions of a higher-privileged user to bypass the SPL safeguards for risky commands. They could bypass these safeguards on the “/services/streams/search“ endpoint through its “q“ parameter by circumventing endpoint restrictions using character encoding in the REST path. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-12
Last Modified
2025-12-03
Generated
2026-05-06
AI Q&A
2025-11-13
EPSS Evaluated
2026-05-05
NVD
CVE-2025-20379
EUVD
EUVD-2025-131964
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
splunk splunk From 9.2.0 (inc) to 9.2.9 (exc)
splunk splunk From 9.3.0 (inc) to 9.3.7 (exc)
splunk splunk From 9.4.0 (inc) to 9.4.5 (exc)
splunk splunk 10.0.0
splunk splunk_cloud_platform From 9.3.2408 (inc) to 9.3.2408.124 (exc)
splunk splunk_cloud_platform From 9.3.2411 (inc) to 9.3.2411.116 (exc)
splunk splunk_cloud_platform From 10.0.2503 (inc) to 10.0.2503.5 (exc)
splunk splunk_cloud_platform From 10.1.2507 (inc) to 10.1.2507.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in certain versions of Splunk Enterprise and Splunk Cloud Platform allows a low-privileged user, who does not have admin or power roles, to run a saved search with a risky command using the permissions of a higher-privileged user. This bypasses the safeguards designed to prevent risky commands. The bypass occurs through the /services/streams/search endpoint by exploiting the 'q' parameter and using character encoding to circumvent endpoint restrictions. However, the attacker must phish the victim to initiate the request in their browser, and the authenticated user cannot exploit this vulnerability at will.


How can this vulnerability impact me? :

The vulnerability could allow a low-privileged user to execute commands with higher privileges than intended, potentially leading to unauthorized actions or access within the Splunk environment. Since the attacker must phish a victim to exploit this, it involves social engineering. The impact is limited to confidentiality as per the CVSS score, with no direct impact on integrity or availability.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart