A high-severity vulnerability was uncovered in Splunk Common Forwarder for Home windows that compromises listing entry controls.
The flaw, designated CVE-2025-20298 with a CVSSv3.1 rating of 8.0, impacts a number of variations of the software program and poses vital safety dangers to enterprise environments counting on Splunk’s knowledge forwarding capabilities.
The vulnerability stems from incorrect permission task throughout the set up or improve of Common Forwarder for Home windows.
Permission Task Vulnerability
This safety flaw is classed below CWE-732 (Incorrect Permission Task for Crucial Useful resource), indicating a basic difficulty with entry management mechanisms.
The vulnerability manifests when Common Forwarder for Home windows variations beneath 9.4.2, 9.3.4, 9.2.6, and 9.1.9 are newly put in or upgraded to an affected model.
Throughout these processes, the set up listing—usually positioned at C:Program FilesSplunkUniversalForwarder—receives incorrect permissions that permit non-administrator customers to entry the listing and all its contents.
This represents a big breach of the precept of least privilege, a cornerstone of enterprise safety frameworks.
The CVSSv3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H signifies that whereas the assault requires low-level privileges and person interplay, it can lead to excessive influence throughout confidentiality, integrity, and availability.
The community assault vector part suggests potential for distant exploitation below sure circumstances.
The scope of this vulnerability is appreciable, affecting 4 main launch branches of Splunk Common Forwarder for Home windows.
Particularly, the vulnerability impacts variations within the 9.4 department beneath 9.4.2, the 9.3 department beneath 9.3.4, the 9.2 department beneath 9.2.6, and the 9.1 department beneath 9.1.9.
This broad model protection signifies that quite a few enterprise deployments could also be susceptible.
The safety implications are notably regarding for organizations that use the Splunk Common Forwarder to gather and ahead delicate log knowledge from Home windows methods.
Non-administrator customers gaining unauthorized entry to the set up listing may doubtlessly view configuration information, entry forwarded knowledge, and even modify forwarding habits.
This might result in knowledge exfiltration, tampering with audit trails, or disruption of vital monitoring and compliance features.
Threat FactorsDetailsAffected ProductsSplunk Common Forwarder for Home windows variations:- 9.4 department (< 9.4.2)- 9.3 department (< 9.3.4)- 9.2 department (< 9.2.6)- 9.1 department (< 9.1.9)ImpactUnauthorized entry to Splunk set up listing and contents, modification of configuration/log information, threat of service disruption Exploit Stipulations– Native entry to Home windows system with affected Splunk version- Non-administrator person account- Set up/improve to susceptible model with out mitigationCVSS 3.1 Score8.0 (Excessive)
Mitigation Methods
Splunk recommends an instantaneous improve to mounted variations: 9.4.2, 9.3.4, 9.2.6, 9.1.9, or larger.
Organizations ought to prioritize these updates given the excessive severity score and potential for privilege escalation.
For environments the place rapid upgrading just isn’t possible, Splunk gives a particular mitigation command that should be executed as a Home windows system administrator.
The workaround entails working the next icacls.exe command from both a command immediate or a PowerShell window:
This icacls command removes the problematic permissions by concentrating on the Constructed-in Customers group (represented by *BU) from the set up listing.
The /take away:g parameter removes particular group permissions, whereas the /C flag continues the operation regardless of any errors encountered.
Organizations should apply this mitigation in three particular situations: new installations of affected variations, upgrades to affected variations, and conditions involving uninstallation and reinstallation of present affected Splunk installations.
System directors ought to implement this repair instantly after any of those operations to stop unauthorized entry.
Velocity up and enrich menace investigations with Risk Intelligence Lookup! -> 50 trial search requests
