Splunk has released a series of advisories addressing six in Splunk Enterprise and Splunk Cloud Platform, ranging from medium to high severity. The span improper access control, multiple forms of cross-site scripting (XSS), XML external entity (XXE) injection, denial-of-service (DoS) through LDAP misuse, and a high-severity server-side request forgery (SSRF).
CVE-2025-20366 (CVSS 6.5) – Improper Access Control in Background Job Submission
The first advisory (SVD-2025-1001) details how “a low-privileged user that does not hold the ‘admin’ or ‘power’ Splunk roles could access sensitive search results if Splunk Enterprise runs an administrative search job in the background.” By guessing the unique Search ID (SID), attackers could retrieve sensitive search results.
Fix: Upgrade to Splunk Enterprise 9.4.4, 9.3.6, or 9.2.8, or latest Splunk Cloud patches.
CVE-2025-20367 (CVSS 5.7) – Reflected Cross-Site Scripting (XSS)
In advisory SVD-2025-1002, Splunk disclosed that attackers could craft malicious payloads via the /app/search/table endpoint. The advisory warns: “a low-privileged user… could craft a malicious payload through the dataset.command parameter … resulting in execution of unauthorized JavaScript code in the browser of a user.”
Fix: Same patch versions as above for Enterprise and Cloud.
CVE-2025-20368 (CVSS 5.7) – Stored Cross-Site Scripting (XSS) in Saved Searches
Advisory SVD-2025-1003 highlights another XSS : “a low privileged user … could craft a malicious payload through the error messages and job inspection details of a saved search.” This stored XSS could persistently affect multiple users reviewing saved search data.
Fix: Upgrade to patched versions of Splunk Enterprise and Cloud.
CVE-2025-20369 (CVSS 4.6) – XML External Entity Injection (XXE)
Advisory SVD-2025-1004 describes an XXE injection in the dashboard tab label field. According to Splunk: “a low privilege user … could perform an XML external entity (XXE) injection … with the potential to cause denial of service (DoS) attacks.”
Fix: Upgrade to Splunk Enterprise 9.4.4 or higher, and Cloud hotfixes.
CVE-2025-20370 (CVSS 4.9) – DoS via Multiple LDAP Bind Requests
In SVD-2025-1005, Splunk identified a DoS risk caused by excessive LDAP bind requests: “a user who holds a role that contains the high-privilege capability change_authentication could send multiple LDAP bind requests … resulting in high server CPU usage.” This could crash the instance until restarted.
Fix: Upgrade to 10.0.1, 9.4.4, 9.3.6, or 9.2.8, or remove the change_authentication capability from user roles.
CVE-2025-20371 (CVSS 7.5) – Unauthenticated Blind SSRF
The most severe of the six, SVD-2025-1006, covers a blind SSRF : “an unauthenticated attacker could trigger a blind server-side request forgery (SSRF), potentially letting an attacker perform REST API calls on behalf of an authenticated high-privileged user.”
The advisory notes that the exploit requires the enableSplunkWebClientNetloc setting to be enabled and may involve phishing: “the attacker likely has to phish the victim by tricking them into initiating a request from their browser.”
Fix: Upgrade to patched versions or set enableSplunkWebClientNetloc to false in web.conf.
Fixes and Upgrade Guidance
Splunk customers are strongly urged to update their deployments. While some of the require low-privileged or authenticated users, the blind SSRF (CVE-2025-20371) poses a serious risk of privilege abuse and lateral movement.
- Splunk Patches Critical Vulnerabilities, Including Remote Code Execution Flaws
- XWorm’s Shape-Shifting Arsenal: RAT Evolves to Deliver LockBit Ransomware, Evades Detection
- Splunk Issues Patches for Two Security Flaws: Windows Permission Misconfiguration and Reflected XSS
- Splunk Secure Gateway App Vulnerability Allows Remote Code Execution
- Multiple Security Vulnerabilities Found in Splunk
