
Splunk, a widely used platform for searching, monitoring, and analyzing machine-generated data, has released a security advisory detailing critical vulnerabilities affecting Splunk Enterprise and Splunk Cloud Platform. These vulnerabilities could allow for remote code execution and the disclosure of sensitive information.
CVE-2025-20229: Remote Code Execution via Unauthorized File Upload (CVSS 8.0)
In a stark reminder that even low-privileged users can become powerful threats, CVE-2025-20229 allows such users to execute arbitrary code remotely by uploading malicious files to a specific directory on the server. The vulnerability stems from missing authorization checks in the file upload process to: $SPLUNK_HOME/var/run/splunk/apptemp.
According to the official Splunk advisory:
“A low-privileged user that does not hold the ‘admin’ or ‘power’ Splunk roles could perform a Remote Code Execution (RCE) through a file upload […] due to missing authorization checks.”
Impacted versions include:
- Splunk Enterprise: 9.1.0 to 9.1.7, 9.2.0 to 9.2.4, 9.3.0 to 9.3.2
- Splunk Cloud Platform: Various builds prior to 9.3.2408.104, 9.2.2406.108, and 9.1.2312.208
Fixes are available in Splunk Enterprise versions 9.1.8, 9.2.5, 9.3.3, and 9.4.0.
CVE-2025-20231: Sensitive Token Leakage in Splunk Secure Gateway (CVSS 7.1)
The second vulnerability, CVE-2025-20231, affects the Splunk Secure Gateway App and leads to exposure of user session and authorization tokens. These are logged in cleartext within splunk_secure_gateway.log when making calls to the /services/ssg/secrets endpoint.
While exploitation isn’t fully under attacker control, Splunk warns:
“The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser.”
That said, the impact is non-trivial, as an attacker can use exposed tokens to impersonate users and retrieve sensitive information through elevated search permissions.
Affected versions include:
- Splunk Enterprise: All builds below 9.4.1, 9.3.3, 9.2.5, and 9.1.8
- Splunk Secure Gateway: Versions below 3.8.38 and 3.7.23
Splunk recommends disabling the Secure Gateway App as a temporary mitigation if unused:
“If you do not use any of the apps, features, or functionality, as a potential mitigation, you may remove or disable the app.”
Act Now: Patch and Audit Your Deployments
Splunk has been actively monitoring and patching affected Splunk Cloud Platform instances. Organizations managing their own Splunk Enterprise environments must upgrade to the latest supported versions immediately to prevent potential exploitation.
For defenders, this is a twofold call to action:
- Upgrade affected versions immediately to close both attack vectors.
- Review access control and user roles, especially for low-privileged users who may be operating beyond expected boundaries.