Splunk has disclosed six critical security vulnerabilities affecting multiple versions of Splunk Enterprise and Splunk Cloud Platform that could allow attackers to execute unauthorized JavaScript code, access sensitive data, and perform server-side request forgery attacks.
The vulnerabilities, published on October 1, 2025, impact various components of Splunk Web and require immediate attention from organizations using the platform.
Cross-Site Scripting Vulnerabilities
Two of the most significant vulnerabilities involve cross-site scripting (XSS) attacks that could enable unauthorized JavaScript execution in user browsers.
CVE-2025-20367 represents a reflected XSS vulnerability in the /app/search/table endpoint with a CVSS score of 5.7.
Low-privileged users who do not hold admin or power roles could craft malicious payloads through the dataset.command parameter, potentially compromising other users’ sessions and stealing sensitive information.
CVE-2025-20368 presents a stored XSS vulnerability through missing field warning messages in Saved Search and Job Inspector functionality, also rated at CVSS 5.7.
This vulnerability allows attackers to inject malicious JavaScript code through error messages and job inspection details of saved searches, creating persistent threats that could affect multiple users accessing the compromised content.
Access Control Vulnerability
CVE-2025-20366 addresses an improper access control vulnerability in background job submission functionality, rated at CVSS 6.5. The vulnerability allows low-privileged users to access sensitive search results by guessing the unique Search ID (SID) of administrative search jobs running in the background.
This vulnerability could expose confidential data and search analytics to unauthorized users who successfully enumerate valid SIDs.
Server-Side Request Forgery
The most severe vulnerability in this batch is CVE-2025-20371, an unauthenticated blind server-side request forgery (SSRF) vulnerability with a CVSS score of 7.5.
This vulnerability could allow unauthenticated attackers to trigger SSRF attacks and perform REST API calls on behalf of authenticated high-privileged users.
The vulnerability requires the enableSplunkWebClientNetloc setting to be enabled and likely involves social engineering to trick victims into initiating requests from their browsers.
Additional Security Concerns
CVE-2025-20369 represents an XML External Entity (XXE) injection vulnerability through dashboard label fields, rated at CVSS 4.6. Low-privileged users could exploit this vulnerability to perform XXE injections that may result in denial-of-service attacks against Splunk instances.
CVE-2025-20370 involves a denial-of-service vulnerability through multiple LDAP bind requests, with a CVSS score of 4.9.
Users holding roles with the change_authentication capability could send multiple LDAP bind requests to internal endpoints, causing high CPU usage and potentially rendering Splunk Enterprise instances unavailable until restart.
All vulnerabilities affect Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, with some also impacting version 10.0.0. Splunk Cloud Platform installations below specific build numbers are also vulnerable. Organizations should immediately upgrade to the following fixed versions:
- Splunk Enterprise: 10.0.1, 9.4.4, 9.3.6, 9.2.8, or higher.
- Splunk Cloud Platform: Automatic patching in progress by Splunk.
Mitigations
For organizations unable to immediately upgrade, Splunk recommends disabling Splunk Web as a temporary workaround for most vulnerabilities.
The SSRF vulnerability can be mitigated by setting enableSplunkWebClientNetloc to false in the web.conf configuration file. The LDAP DoS vulnerability can be addressed by removing the change_authentication capability from user roles where not required.
The discovery of these vulnerabilities highlights the importance of maintaining current security patches and implementing defense-in-depth strategies.
Organizations should prioritize upgrading their Splunk installations and review user permissions to minimize potential attack surfaces while patches are applied.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
