Remote Code Execution via the Splunk Secure Gateway application Mobile Alerts feature

Advisory ID: SVD-2022-1107

CVE ID: CVE-2022-43567

Published: 2022-11-02

Last Update: 2022-11-02

CVSSv3.1 Score: 8.8, High, High

CWE: CWE-502

Bug ID: SPL-226837


In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run arbitrary operating system commands remotely through the use of specially crafted requests to the mobile alerts feature in the Splunk Secure Gateway app.


For Splunk Enterprise, upgrade versions to 8.1.12, 8.2.9, 9.0.2, or higher.

For Splunk Cloud Platform, Splunk is actively patching and monitoring the Splunk Cloud instances.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise8.1Splunk Secure Gateway8.1.11 and lower8.1.12
Splunk Enterprise8.2Splunk Secure Gateway8.2.0 to
Splunk Enterprise9.0Splunk Secure Gateway9.0.0 to
Splunk Cloud PlatformSplunk Secure GatewaySplunk Web9.0.2203.4 and lower9.0.2205

Mitigations and Workarounds

The vulnerability requires access to the Splunk Secure Gateway app. Removing, disabling, or uninstalling the app or restricting access to the app to administrators remediates the vulnerability. Manage app and add-on objects


This detection search provides information on possible exploitation attempts against the Splunk Secure Gateway App Mobile Alerts feature.


Splunk rates the vulnerability as High, 8.8, with a CVSS Vectors of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability lets a remote authenticated user execute arbitrary code on the server. If you removed the Splunk Secure Gateway app or restricted access to the app to administrators, there is no impact and the severity is Informational.


Danylo Dmytriiev (DDV_UA)