CVE-2025-20229
Published: 26 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-20229 is a remote code execution (RCE) vulnerability affecting Splunk Enterprise versions below 9.3.3, 9.2.5, and 9.1.8, as well as Splunk Cloud Platform versions below 9.3.2408.104, 9.2.2406.108, 9.2.2403.114, and 9.1.2312.208. The flaw arises from missing authorization checks, enabling a low-privileged user lacking "admin" or "power" Splunk roles to upload malicious files to the $SPLUNK_HOME/var/run/splunk/apptemp directory.
A low-privileged user with network access can exploit this vulnerability remotely by uploading a crafted file to the specified directory, though it requires user interaction. Successful exploitation allows arbitrary code execution on the Splunk server, resulting in high impacts to confidentiality, integrity, and availability, as reflected in its CVSS v3.1 base score of 8.0 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H). The issue is linked to CWE-284 (Improper Access Control).
Splunk's advisory SVD-2025-0301 details the vulnerability and recommends mitigation by upgrading to the patched versions: Splunk Enterprise 9.3.3, 9.2.5, 9.1.8 or later, and the corresponding Splunk Cloud Platform releases.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
RCE vulnerability in public-facing Splunk app due to missing authorization checks, allowing low-priv users to upload malicious files for arbitrary code execution, directly enabling T1190 (Exploit Public-Facing Application) and T1068 (Exploitation for Privilege Escalation).