CVE-2025-20231

CVE-2025-20231 is a privilege escalation vulnerability affecting Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8, as well as versions below 3.8.38 and 3.7.23 of the Splunk Secure Gateway app on Splunk Cloud Platform. It enables a low-privileged user without "admin" or "power" Splunk roles to execute a search using the permissions of a higher-privileged user, potentially resulting in the disclosure of sensitive information. The issue is classified under CWE-532 with a CVSS v3.1 base score of 7.1 (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts but requiring high attack complexity and user interaction.

Exploitation requires an authenticated low-privileged attacker to phish a higher-privileged victim, tricking them into initiating a specific request within their browser. This social engineering step is necessary, as the low-privileged user cannot trigger the vulnerability independently or at will. Successful exploitation allows the attacker to leverage the victim's elevated permissions to run unauthorized searches and access sensitive data.

The Splunk advisory at https://advisory.splunk.com/advisories/SVD-2025-0302 details mitigation, recommending upgrades to Splunk Enterprise versions 9.4.1, 9.3.3, 9.2.5, 9.1.8 or higher, and Splunk Secure Gateway app versions 3.8.38 or 3.7.23 or higher on Splunk Cloud Platform.