High-Severity Splunk Flaw Allows Local Privilege Escalation via Incorrect File Permissions on Windows

Splunk administrators managing Windows environments are being urged to patch immediately following the discovery of two high-severity vulnerabilities affecting both the Enterprise platform and Universal Forwarders. The flaws, tracked as CVE-2025-20386 and CVE-2025-20387, carry a CVSS score of 8.0, highlighting a significant risk to system integrity.

The core of the issue lies in how the software handles file permissions during deployment. According to the advisory, “a new installation of or an upgrade to an affected version can result in incorrect permissions assignment in the Splunk Enterprise for Windows Installation directory”. This oversight effectively leaves the digital front door unlocked on the host machine.

The vulnerability is not a remote code execution flaw in the traditional sense, but rather a local security degradation that drastically widens the attack surface. In a hardened environment, access to application directories—specifically C:\Program Files\Splunk and C:\Program Files\SplunkUniversal Forwarder—should be strictly limited to administrators and system accounts.

However, due to this bug, the software fails to lock down these folders correctly. The advisory explicitly states the danger: “This lets non-administrator users on the machine access the directory and all its contents”.

For a threat actor who has gained a foothold on a low-privileged user account, this vulnerability could provide read access to sensitive configuration files, logs, or potentially allow for malicious file manipulation within the Splunk directory.

The vulnerabilities impact Windows deployments of both the core platform and the forwarding agents. You are at risk if you are running versions below:

• 10.0.2
• 9.4.6
• 9.3.8
• 9.2.10

Splunk has released patched versions to close this security gap. The primary recommendation is straightforward: “Upgrade Splunk Enterprise to versions 10.0.2, 9.4.6, 9.3.8, 9.2.10, or higher”. The same version requirements apply to the Universal Forwarder.

For organizations unable to upgrade immediately, Splunk has provided a manual workaround involving the Windows icacls utility to strip the dangerous permissions.

Administrators must execute the following commands in order via Command Prompt or PowerShell:

1. Disable inheritance: icacls.exe “<path\to\installation directory>” /inheritance:d
2. Remove Built-in Users access: icacls.exe “<path\to\installation directory>” /remove:g *BU/T/C
3. Remove Authenticated Users access: icacls.exe “<path\to\installation directory>” /remove:g *S-1-5-11/T/C
4. Re-enable inheritance (safely): icacls.exe “<path\to\installation directory>” /inheritance:e /T/C

Related Posts:

• Splunk Issues Patches for Two Security Flaws: Windows Permission Misconfiguration and Reflected XSS
• Splunk Patches Critical Vulnerabilities, Including Remote Code Execution Flaws
• Splunk Fixes Six Flaws, Including Unauthenticated SSRF and XSS Vulnerabilities in Enterprise Platform
• Microsoft Defender flags Office update as ransomware