Remote Code Execution through Serialized Session Payload in Splunk Enterprise on Windows

Advisory ID: SVD-2024-0704

CVE ID: CVE-2024-36984

Published: 2024-07-01

Last Update: 2024-07-01

CVSSv3.1 Score: 8.8, High

CWE: CWE-502

Bug ID: VULN-15741


In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 on Windows, an authenticated user could execute a specially crafted query that they could then use to serialize untrusted data. The attacker could use the query to execute arbitrary code.

The exploit requires the use of the collect SPL command which writes a file within the Splunk Enterprise installation. The attacker could then use this file to submit a serialized payload that could result in execution of code within the payload.


Upgrade Splunk Enterprise to versions 9.2.2, 9.1.5, and 9.0.10, or higher.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise9.2Splunk Web9.2.0 to
Splunk Enterprise9.1Splunk Web9.1.0 to
Splunk Enterprise9.0Splunk Web9.0.0 to

Mitigations and Workarounds

If users do not log in to Splunk Web on indexers in a distributed environment, disable Splunk Web on those indexers. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file in the Splunk documentation for more information on disabling Splunk Web.



Splunk rates this vulnerability as 8.8, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

If the Splunk Enterprise instance does not run Splunk Web, there should be no impact and the severity would be informational.


Danylo Dmytriiev (DDV_UA)