Splunk has launched patches for a number of vulnerabilities in its Enterprise and Cloud Platform merchandise, a few of which might permit attackers to execute unauthorized JavaScript code, entry delicate info, or trigger a denial-of-service (DoS) situation.
The advisories, printed on October 1, 2025, element six safety flaws, with severity rankings starting from Medium to Excessive.
Probably the most crucial vulnerability is a Server-Facet Request Forgery (SSRF) flaw, tracked as CVE-2025-20371, with a excessive CVSS rating of seven.5.
This vulnerability might permit an unauthenticated attacker to set off a blind SSRF, doubtlessly enabling them to carry out REST API calls on behalf of an authenticated, high-privileged consumer.
Profitable exploitation requires the enableSplunkWebClientNetloc setting to be enabled and sure includes phishing the sufferer to provoke a request from their browser.
Code Execution and Info Disclosure Flaws
Two vulnerabilities straight tackle the execution of unauthorized JavaScript code, a type of cross-site scripting (XSS).
CVE-2025-20367 (CVSS: 5.7): A low-privileged consumer can craft a malicious payload by the dataset.command parameter of a particular endpoint, resulting in the execution of JavaScript code in a consumer’s browser.
CVE-2025-20368 (CVSS: 5.7): Equally, a low-privileged consumer can inject a malicious payload into the error messages and job inspection particulars of a saved search, leading to unauthorized code execution.
One other important flaw, CVE-2025-20366 (CVSS: 6.5), permits for info disclosure. On this state of affairs, a low-privileged consumer with out ‘admin’ or ‘energy’ roles might entry the outcomes of an administrative search job operating within the background.
If the attacker appropriately guesses the distinctive Search ID (SID) of the job, they may retrieve doubtlessly delicate search outcomes.
Denial of Service and XXE Vulnerabilities
The safety replace additionally addresses three medium-severity vulnerabilities that would impression system availability and integrity:
CVE-2025-20370 (CVSS: 4.9): A consumer with the change_authentication functionality can ship a number of LDAP bind requests to an inside endpoint, inflicting excessive CPU utilization and a possible DoS that requires an occasion restart to resolve.
CVE-2025-20369 (CVSS: 4.6): A low-privileged consumer can carry out an XML Exterior Entity (XXE) injection by the dashboard tab label subject, which might additionally result in a DoS assault.
Affected Merchandise and Mitigations
The vulnerabilities have an effect on a number of variations of Splunk Enterprise and Splunk Cloud Platform. The affected Splunk Enterprise variations embrace these beneath 9.4.4, 9.3.6, and 9.2.8. For some flaws, model 10.0.0 can also be affected.
Splunk has launched patches and urges prospects to improve to the next or later variations:
CVE IDVulnerability TypeCVSS 3.1 ScoreAffected ProductAffected VersionsFixed VersionsCVE-2025-20366Information Disclosure6.5 (Medium)Splunk Enterprise9.4.0 – 9.4.3 9.3.0 – 9.3.5 9.2.0 – 9.2.79.4.4 9.3.6 9.2.8Splunk Cloud PlatformBelow 9.3.2411.111 Beneath 9.3.2408.119 Beneath 9.2.2406.1229.3.2411.111 9.3.2408.119 9.2.2406.122CVE-2025-20367Cross-Web site Scripting (XSS)5.7 (Medium)Splunk Enterprise9.4.0 – 9.4.3 9.3.0 – 9.3.5 9.2.0 – 9.2.79.4.4 9.3.6 9.2.8Splunk Cloud PlatformBelow 9.3.2411.109 Beneath 9.3.2408.119 Beneath 9.2.2406.1229.3.2411.109 9.3.2408.119 9.2.2406.122CVE-2025-20368Cross-Web site Scripting (XSS)5.7 (Medium)Splunk Enterprise9.4.0 – 9.4.3 9.3.0 – 9.3.5 9.2.0 – 9.2.79.4.4 9.3.6 9.2.8Splunk Cloud PlatformBelow 9.3.2411.108 Beneath 9.3.2408.118 Beneath 9.2.2406.1239.3.2411.108 9.3.2408.118 9.2.2406.123CVE-2025-20369XXE Injection4.6 (Medium)Splunk Enterprise9.4.0 – 9.4.3 9.3.0 – 9.3.5 9.2.0 – 9.2.79.4.4 9.3.6 9.2.8Splunk Cloud PlatformBelow 9.3.2411.108 Beneath 9.3.2408.118 Beneath 9.2.2406.1239.3.2411.108 9.3.2408.118 9.2.2406.123CVE-2025-20370Denial of Service (DoS)4.9 (Medium)Splunk Enterprise10.0.0 9.4.0 – 9.4.3 9.3.0 – 9.3.5 9.2.0 – 9.2.710.0.1 9.4.4 9.3.6 9.2.8Splunk Cloud PlatformBelow 9.3.2411.108 Beneath 9.3.2408.118 Beneath 9.2.2406.1239.3.2411.108 9.3.2408.118 9.2.2406.123CVE-2025-20371Server-Facet Request Forgery (SSRF)7.5 (Excessive)Splunk Enterprise10.0.0 9.4.0 – 9.4.3 9.3.0 – 9.3.5 9.2.0 – 9.2.710.0.1 9.4.4 9.3.6 9.2.8Splunk Cloud PlatformBelow 9.3.2411.109 Beneath 9.3.2408.119 Beneath 9.2.2406.1229.3.2411.109 9.3.2408.119 9.2.2406.122
Splunk has confirmed it’s actively patching all Splunk Cloud Platform situations and can notify prospects upon completion.
For customers unable to use the updates instantly, a number of workarounds can be found. A typical mitigation for most of the vulnerabilities is to disable Splunk Internet if it isn’t required.
For the SSRF flaw (CVE-2025-20371), directors can mitigate the danger by setting enableSplunkWebClientNetloc to false within the internet.conf file.
Observe us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to function your tales.
