Critical Splunk Vulnerabilities Patched: Ensure Your Security Against Unauthorized Code

Overview of Critical Splunk Vulnerabilities

Splunk has recently patched a significant remote code execution (RCE) vulnerability, with a high severity rating, that impacted both Splunk Enterprise and Splunk Cloud Platform. Designated CVE-2025-20229, this vulnerability allowed low-privileged users to execute arbitrary code by uploading malicious files.

Details of the Splunk RCE Vulnerability

The security flaw was present in various versions of Splunk Enterprise and Splunk Cloud Platform. Specifically, versions of Splunk Enterprise prior to 9.3.3, 9.2.5, and 9.1.8, and Splunk Cloud Platform prior to 9.3.2408.104, 9.2.2406.108, 9.2.2403.114, and 9.1.2312.208 were vulnerable.

This critical issue was exploitable by a low-privileged user who could bypass authorization checks by uploading a file to the “$SPLUNK_HOME/var/run/splunk/apptemp” directory. The vulnerability has been assigned a CVSSv3.1 score of 8.0, indicating a high threat level.

Proactive Remediation Steps

To mitigate this vulnerability, upgrading to the latest versions of Splunk software is recommended. Details on the upgraded versions can be found on Splunk’s official advisory page. Splunk has taken active measures in monitoring and patching instances for Cloud Platform users to ensure security.

Additional Vulnerability in Splunk Secure Gateway App

Alongside the RCE vulnerability, another serious issue was disclosed affecting the Splunk Secure Gateway app. This separate vulnerability, identified as CVE-2025-20231, potentially allowed a low-privileged user to execute searches with the permissions of more privileged users, leading to unauthorized access to sensitive data.

Affected and Secure Versions

• Splunk Enterprise Affected Versions: 9.3.0-9.3.2, 9.2.0-9.2.4, 9.1.0-9.1.7
• Splunk Enterprise Secure Versions: 9.3.3, 9.2.5, 9.1.8, 9.4.0
• Splunk Cloud Platform Affected Versions: Ranges leading up to 9.3.2408.103, 9.2.2406.107, and below specific releases
• Splunk Cloud Platform Secure Versions: Latest patch levels as per official advisories
• Splunk Secure Gateway App: Versions below 3.8.38 and 3.7.23 are vulnerable

Recommended Security Measures

Users are urged to upgrade to the fixed versions as noted above. For immediate protection, disabling the Splunk Secure Gateway App might mitigate risks but could affect the functionality of dependent services like Splunk Mobile. For comprehensive protection, follow the guidelines and apply security patches promptly.

Splunk remains dedicated to maintaining robust security measures and advises customers to regularly update their systems to protect against potential exploits. For further information, visit Splunk’s Advisory Portal.

For insights on preventive cybersecurity practices, consider reading our related article on Cybersecurity Best Practices.