CVE Alert: CVE-2025-20371 - Splunk - Splunk Enterprise

CVE-2025-20371

HIGHNo exploitation known

In Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6 and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.109, 9.3.2408.119 and 9.2.2406.122, an unauthenticated attacker could trigger a blind server-side request forgery (SSRF) potentially letting an attacker perform REST API calls on behalf of an authenticated high-privileged user.

CVSS v3.1 (7.5)

Vendor

Splunk, Splunk

Product

Splunk Enterprise, Splunk Cloud Platform

Versions

10.0 lt 10.0.1 | 9.4 lt 9.4.4 | 9.3 lt 9.3.6 | 9.2 lt 9.2.8 | 9.3.2411 lt 9.3.2411.109 | 9.3.2408 lt 9.3.2408.119 | 9.2.2406 lt 9.2.2406.122

CWE

CWE-918, The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Published

2025-10-01T16:08:02.891Z

Updated

2025-10-02T03:55:47.543Z

References

https://advisory.splunk.com/advisories/SVD-2025-1006

AI Summary Analysis

Risk verdict

High risk vulnerability with potential to trigger a blind SSRF to call REST APIs on behalf of an authenticated high-privilege user; no active exploitation reported at present.

Why this matters

An attacker could abuse the SSRF to reach internal endpoints, potentially exposing, modifying or deleting sensitive data accessed via REST APIs. If leveraged against admin accounts, the impact could extend to monitoring configurations, data sources, and policy settings, impairing security posture and operations.

Most likely attack path

An attacker would need to entice a logged-in, high-privilege user to perform an action that causes the server to fetch an attacker-specified URL (SSRF). The fault allows remote-triggered requests over the network, but requires user interaction and no privileges, so the initial access relies on social engineering or phishing combined with high-privilege session context to reach sensitive APIs.

Who is most exposed

Institutions running on-prem Splunk Enterprise or Splunk Cloud with older patch levels and exposed management interfaces are most at risk. Deployments with highly privileged accounts and internet-accessible consoles are particularly relevant.

Detection ideas

Unusual outbound requests from the Splunk host to non-canonical destinations
REST API activity from authenticated high-privilege users to internal endpoints
VoIP-like bursts of API calls shortly after user-driven actions
Anomalous URL or hostnames appearing in API request logs
Patterned success responses for invalid or unexpected URLs

Mitigation and prioritisation

Patch to affected build lines: 10.0.1+, 9.4.4+, 9.3.6+, 9.2.8+ (and corresponding cloud patch levels)
Enforce network egress controls and restrict internal REST API access
Deploy web/app layer controls to validate outbound requests and block SSRF patterns
Implement stricter access for admin accounts; enable MFA and session monitoring
Change-management: plan staged rollout, test compatibility, verify API and dashboard integrity post-patch

Note: treat as priority 1 if an EPSS or KEV indicator appears in updates; otherwise proceed with standard urgent remediation.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: CVE, cve-2025-20371, OSINT, splunk, splunk-cloud-platform, splunk-enterprise, threatintel

CVE Alert: CVE-2025-20371 – Splunk – Splunk Enterprise