Splunk has released a series of vulnerability advisories for July 2025. These advisories, identified as SVD-2025-0712 through SVD-2025-0701, highlight important security updates and address several vulnerabilities across Splunk’s product suite. Below, we provide a comprehensive overview of these advisories, their impact, and recommended actions for Splunk administrators and security professionals.
SVD-2025-0712 and SVD-2025-0711: Third-Party Package Updates
- Severity: Critical
Splunk SOAR and Splunk Universal Forwarder have both received critical updates to their bundled third-party packages. These updates address multiple vulnerabilities (CVEs) discovered in underlying libraries and dependencies. While no active exploits have been reported, administrators are strongly encouraged to apply these updates promptly to maintain a secure environment and reduce the attack surface.
SVD-2025-0712: Third-Party Package Updates in Splunk SOAR
- Scope: This advisory covers multiple vulnerabilities identified in third-party libraries included with Splunk SOAR.
- Risk: The vulnerabilities addressed may range in severity and could enable attackers to exploit issues such as privilege escalation, information disclosure, or remote code execution if left unpatched.
- Action Required: Splunk SOAR users should promptly apply the latest updates to ensure all bundled components are secure.
SVD-2025-0711: Third-Party Package Updates in Splunk Universal Forwarder
- Scope: This advisory details updates to third-party packages within Splunk Universal Forwarder, addressing multiple CVEs.
- Risk: Vulnerabilities in these packages may expose systems to various risks, including security bypass, data leakage, or potential system compromise.
- Action Required: Administrators are advised to update Splunk Universal Forwarder to the latest version to remediate these vulnerabilities.
SVD-2025-0710: Third-Party Package Updates in Splunk Enterprise
- CVE IDs: Multiple
- Severity: Critical
Multiple vulnerabilities were identified in third-party libraries used by Splunk Enterprise. The affected components and their respective CVEs are summarized below. The vulnerabilities vary in severity, ranging from medium to critical, and could potentially expose systems to risks such as privilege escalation, information disclosure, or remote code execution if left unpatched.
Affected Packages and CVEs
| Package | Upgraded Version | CVE(s) | Severity |
|---|---|---|---|
| setuptools | 70.0.0 | CVE-2024-6345 | High |
| golang.org/x/crypto | 0.36.0/0.37.0 | CVE-2025-22869, CVE-2024-45337, Multiple | High/Critical |
| golang.org/x/net | 0.37.0/0.39.0 | CVE-2024-45338 | Medium |
| golang | 1.24.0/1.24.2 | Multiple | High |
| Beaker | 1.12.1 | CVE-2013-7489 | Medium |
| azure-storage-blob | 12.13.0 | CVE-2022-30187 | Medium |
| OpenSSL | 1.0.2zl | CVE-2024-13176, CVE-2024-9143 | Low/Info |
| libcurl | 8.11.1 | CVE-2024-0853, CVE-2024-2398, Multiple | High |
Impact
- Risk Exposure: The vulnerabilities addressed may enable attackers to exploit issues such as privilege escalation, information disclosure, or remote code execution.
- Severity: The advisory covers CVEs with severities ranging from medium to critical, underscoring the importance of timely updates.
Affected Products and Versions
| Product | Base Version | Affected Versions | Fixed Version |
|---|---|---|---|
| Splunk Enterprise | 9.4 | 9.4.0 to 9.4.2 | 9.4.3 |
| Splunk Enterprise | 9.3 | 9.3.0 to 9.3.4 | 9.3.5 |
| Splunk Enterprise | 9.2 | 9.2.0 to 9.2.6 | 9.2.7 |
| Splunk Enterprise | 9.1 | 9.1.0 to 9.1.9 | 9.1.10 |
SVD-2025-0709: Sensitive Information Disclosure in Clustered Deployments
- CVE: CVE-2025-20325
- Severity: Low (CVSS 3.1 Score: 3.1)
A vulnerability in Splunk Enterprise and Splunk Cloud Platform may expose the search head cluster secret key in the SHCConfig log channel when set to DEBUG level. Exploitation requires local or administrative access to logs or internal indexes. Splunk recommends restricting access to sensitive logs and indexes to administrator-level roles only.
SVD-2025-0708: Improper Access Control on Read-Only Alerts
- CVE: CVE-2025-20326
- Severity: Medium
An access control flaw in Splunk Enterprise allows low-privilege users to suppress certain read-only alerts. This could potentially hinder timely response to security incidents. Organizations should review user permissions and apply the latest patches to mitigate this risk.
SVD-2025-0707: Access Control Weakness in System Source Types Configuration
- CVE: CVE-2025-20324
- Severity: Medium
This vulnerability involves improper access controls in the configuration of system source types within Splunk Enterprise. Unauthorized users may be able to modify configurations, potentially impacting data integrity and system operations. Prompt patching and strict access management are advised.
SVD-2025-0706: Missing Access Control in Splunk Archiver App
- CVE: CVE-2025-20323
- Severity: Medium (CVSS 3.1 Score: 4.3)
The Splunk Archiver app was found to lack adequate access controls for saved searches, creating the risk of unauthorized access or modification. Splunk recommends updating to the latest version and reviewing saved search permissions.
SVD-2025-0705: Denial of Service via Cross-Site Request Forgery
- CVE: CVE-2025-20322
- Severity: Medium (CVSS 3.1 Score: 4.3)
A Cross-Site Request Forgery (CSRF) vulnerability in Splunk’s Search Head Cluster could allow an unauthenticated attacker to trigger a rolling restart, resulting in a temporary denial of service. Successful exploitation requires phishing an administrator-level user. Administrators should educate users on phishing risks and apply security updates.
SVD-2025-0704: CSRF Vulnerability Risks Search Head Cluster Stability
- CVE: CVE-2025-20321
- Severity: Medium (CVSS 3.1 Score: 6.5)
A CSRF vulnerability in Splunk Enterprise and Splunk Cloud Platform could allow an unauthenticated attacker to manipulate the membership state of a Search Head Cluster. By exploiting this flaw, an attacker could potentially remove the cluster captain or a member, leading to possible instability or downtime within the cluster.
Attack Prerequisites
- User Interaction Required: The attacker must trick an administrator-level user into executing a malicious SPL search, typically through phishing or social engineering.
- No Direct Exploit: The vulnerability cannot be exploited without user interaction; the attacker relies on convincing an administrator to initiate the malicious request in their browser session.
Potential Impact
- Cluster Disruption: Successful exploitation could result in the removal of key cluster members, including the captain, thereby affecting the availability and stability of the SHC.
- Service Availability: While there is no direct risk to data confidentiality or integrity, the vulnerability poses a significant threat to service uptime and operational continuity.
Affected Versions
- Splunk Enterprise: Versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10
- Splunk Cloud Platform: Versions below 9.3.2411.104, 9.3.2408.114, and 9.2.2406.119
CVSS v3.1 Details
- Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
- Base Score: 6.5 (Medium)
- Impact: High on availability; no impact on confidentiality or integrity.
SVD-2025-0703: Path Traversal Vulnerability Enables Denial of Service
- CVE: CVE-2025-20320
- Severity: Medium (CVSS 3.1 Score: 6.3)
A path traversal vulnerability exists in Splunk Enterprise and Splunk Cloud Platform versions below the fixed releases. A low-privileged user—without “admin” or “power” roles—could craft a malicious payload through the “User Interface – Views” configuration page. If an administrator-level victim is phished into executing the payload in their browser, the attacker could delete arbitrary files within the Splunk directory, potentially resulting in a denial of service.
Attack Prerequisites
- User Interaction Required: The attacker must trick an administrator-level user into initiating a malicious request, usually via phishing or social engineering.
- No Direct Exploit: The vulnerability cannot be exploited at will by the attacker; administrator interaction is required.
Potential Impact
- Denial of Service: Exploitation can result in deletion of critical files, causing service disruption or downtime.
- Limited Scope: The vulnerability does not impact confidentiality, but poses a risk to availability and, to a lesser extent, integrity.
Affected Versions
- Splunk Enterprise: Versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10
- Splunk Cloud Platform: Versions below 9.3.2411.107, 9.3.2408.117, and 9.2.2406.121
CVSS v3.1 Details
- Vector: AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H
- Base Score: 6.3 (Medium)
- Impact: High on availability, low on integrity, none on confidentiality.
SVD-2025-0702: Remote Command Execution via Scripted Input Files
- CVE: CVE-2025-20319
- Severity: Medium (CVSS 3.1 Score: 6.8)
A remote command execution vulnerability exists in Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10. The flaw arises from insufficient sanitization of user input in scripted input files. Users with the edit_scripted and list_inputs capabilities can exploit this weakness to execute arbitrary commands on the underlying system, potentially leading to data compromise or service disruption.
Attack Prerequisites
- High-Privilege Role Required: The attacker must possess a role with both
edit_scriptedandlist_inputscapabilities. - No User Interaction Needed: The exploit does not require social engineering or phishing; it can be performed by a privileged user directly.
Potential Impact
- Remote Command Execution: Successful exploitation allows arbitrary command execution on the Splunk server.
- System Compromise: Attackers may gain control over the Splunk instance, access sensitive data, or disrupt operations.
- High Confidentiality, Integrity, and Availability Impact: The vulnerability affects all three core security principles.
Affected Versions
- Splunk Enterprise: Versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10
CVSS v3.1 Details
- Vector: AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
- Base Score: 6.8 (Medium)
- Impact: High on confidentiality, integrity, and availability.
SVD-2025-0701: Third-Party Package Updates in Splunk DB Connect
- CVE IDs: Multiple
- Severity: Critical
Multiple vulnerabilities were identified in third-party libraries used by Splunk DB Connect. The affected components and their respective CVEs are summarized below. The vulnerabilities vary in severity and impact, ranging from medium to high, and could potentially expose systems to risks such as information disclosure, privilege escalation, or remote code execution if left unpatched.
Affected Packages and CVEs
| Package | Upgraded Version | CVE(s) | Severity |
|---|---|---|---|
| bcprov-jdk15on | 1.7.9 | CVE-2024-29857 | Medium |
| pyopenSSL | 24.2.1 | CVE-2023-5363 | High |
| dompurify | 2.5.4 | CVE-2024-45801, CVE-2024-47875 | High |
| requirejs | 2.3.7 | CVE-2024-38999 | High |
| mysql-connector-python | 9.1.0 | CVE-2024-21272, CVE-2024-21090 | High |
Affected Products
- Splunk DB Connect: Versions below 4.0.0
Summary Table
| Advisory ID | Title/Issue | CVE(s) | Severity | Description |
|---|---|---|---|---|
| SVD-2025-0712 | Third-Party Package Updates in Splunk SOAR | Multiple | Not specified | Routine update addressing third-party library vulnerabilities |
| SVD-2025-0711 | Third-Party Package Updates in Splunk Universal Forwarder | Multiple | Not specified | Routine update addressing third-party library vulnerabilities |
| SVD-2025-0709 | Sensitive Info Disclosure in SHCConfig Logging (Clustered Deployments) | CVE-2025-20325 | Low | Potential exposure of secret key in logs; restrict log access |
| SVD-2025-0708 | Improper Access Control Lets Low-Privilege Users Suppress Read-Only Alerts | CVE-2025-20326 | Not specified | Low-privilege users can suppress alerts; review permissions |
| SVD-2025-0707 | Improper Access Control in System Source Types Configuration | CVE-2025-20324 | Not specified | Unauthorized changes to source type configuration possible |
| SVD-2025-0706 | Missing Access Control of Saved Searches in Splunk Archiver App | CVE-2025-20323 | Medium | Unauthorized access or modification of saved searches |
| SVD-2025-0705 | DoS in Search Head Cluster via CSRF | CVE-2025-20322 | Medium | CSRF can trigger rolling restart, causing DoS; user awareness and patching recommended |
| SVD-2025-0704 | Membership State Change in Splunk Search Head Cluster via CSRF | CVE-2025-20321 | Medium | CSRF allows membership state change in SHC via admin-level phishing |
| SVD-2025-0703 | Denial of Service (DoS) through “User Interface – Views“ configuration page in Splunk Enterprise | CVE-2025-20320 | Medium | Path traversal in UI allows DoS via arbitrary file deletion |
| SVD-2025-0702 | Remote Command Execution through Scripted Input Files in Splunk Enterprise | CVE-2025-20319 | Medium | RCE via scripted input file sanitization flaw |
| SVD-2025-0701 | Third-Party Package Updates in Splunk DB Connect – July 2025 | Multiple (see above) | High | Third-party package vulnerabilities in DB Connect |
Recommendations
- Apply Updates Promptly: Ensure all Splunk products and apps are updated to the latest versions.
- Review Access Controls: Limit access to sensitive logs, configurations, and saved searches to administrator-level roles.
- Educate Users: Train administrators on phishing and CSRF risks.
- Monitor Official Advisories: Stay informed via Splunk’s security advisories page for ongoing updates.
Splunk’s regular release of vulnerability advisories underscores the importance of proactive security management. By staying current with patches and best practices, organizations can effectively mitigate risks and maintain a robust security posture.
For more detailed technical information or guidance tailored to your environment, contact your Splunk representative or consult the official Splunk documentation.
