Incorrect permission assignment on Universal Forwarder for Windows during new installation or upgrade
Advisory ID: SVD-2025-0602
CVE ID: CVE-2025-20298
Published: 2025-06-02
Last Update: 2025-06-02
CVSSv3.1 Score: 8.0, High
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-732
Bug ID: VULN-27637
Description
In Universal Forwarder for Windows versions below 9.4.2, 9.3.4, 9.2.6, and 9.1.9, a new installation of or an upgrade to an affected version can result in incorrect permissions assignment in the Universal Forwarder Installation directory (by default, C:\Program Files\SplunkUniversalForwarder). This lets non-administrator users on the machine access the directory and all its contents.
Solution
Upgrade Universal Forwarder for Windows to versions 9.4.2, 9.3.4, 9.2.6, 9.1.9, or higher.
Product Status
| Product | Base Version | Affected Version | Fix Version |
|---|---|---|---|
| Splunk/UniversalForwarder for Windows | 9.4 | Below 9.4.2 | 9.4.2 |
| Splunk/UniversalForwarder for Windows | 9.3 | Below 9.3.4 | 9.3.4 |
| Splunk/UniversalForwarder for Windows | 9.2 | Below 9.2.6 | 9.2.6 |
| Splunk/UniversalForwarder for Windows | 9.1 | Below 9.1.9 | 9.1.9 |
Mitigations and Workarounds
If you are not able to upgrade to a fixed version, take the following steps to mitigate the vulnerability:
From a command prompt or a PowerShell window, run the following command as a Windows system administrator after installing the Splunk affected version - icacls.exe "<path\to\installation\directory>" /remove:g *BU /C
Use this mitigation in the one of the following scenarios:
1. On new installations of affected versions.
2. On upgrade to an affected version.
3. Upon uninstalling and re-installing an existing Splunk affected version.
Detections
None
Severity
Splunk rates this vulnerability a 8.0, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H.