Splunk Enterprise Vulnerability: CVE-2025-20386 and CVE-2025-20387

Redazione RHC : 5 December 2025 09:23

Security researchers have discovered two high-risk vulnerabilities (CVE-2025-20386 and CVE-2025-20387, with CVSS severity 8.0) affecting the Splunk Enterprise platform and Universal Forwarder components.

These vulnerabilities result from incorrect permissions on configuration files during software deployment on Windows systems , allowing non-administrative users to access the Splunk installation directory and its entire contents.

This vulnerability is not a traditional remote code execution vulnerability, but rather expands the attack surface through local security degradation. In the affected versions:

• New installations or updates may cause permission configuration errors
• Standard users can read sensitive configuration files and registries, and can even tamper with files in the directory.
• The primary platform and forward proxy affects Windows versions prior to 10.0.2/9.4.6/9.3.8/9.2.10.

Splunk has released a fixed version and users are advised to update immediately:

• Splunk Enterprise 10.0.2/9.4.6/9.3.8/9.2.10 or later
• Universal Forwarder Version

For users who cannot upgrade immediately, you can run the following commands using the Windows icacls tool to manually resolve the issue:

1. Disable inheritance: icacls.exe “” /inheritance:d
2. Remove default user access: icacls.exe “” /remove:g *BU/T/C
3. Remove access for authenticated users: icacls.exe “” /remove:g *S-1-5-11/T/C
4. Re-enable inheritance (safely): icacls.exe “” /inheritance:e /T/C

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli