Remote Code Execution through file upload to “$SPLUNK_HOME/var/run/splunk/apptemp“ directory in Splunk Enterprise

Advisory ID: SVD-2025-0301

CVE ID: CVE-2025-20229

Published: 2025-03-26

Last Update: 2025-03-26

CVSSv3.1 Score: 8.0, High

CWE: CWE-284

Bug ID: VULN-19218

Description

In Splunk Enterprise versions below 9.3.3, 9.2.5, and 9.1.8, and Splunk Cloud Platform versions below 9.3.2408.104, 9.2.2406.108, 9.2.2403.114, and 9.1.2312.208, a low-privileged user that does not hold the “admin” or “power” Splunk roles could perform a Remote Code Execution (RCE) through a file upload to the “$SPLUNK_HOME/var/run/splunk/apptemp” directory due to missing authorization checks.

Solution

Upgrade Splunk Enterprise to versions 9.4.0, 9.3.3, 9.2.5, 9.1.8, or higher.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.

Product Status

ProductBase VersionAffected VersionFix Version
Splunk Enterprise9.49.4.0
Splunk Enterprise9.39.3.0 to 9.3.29.3.3
Splunk Enterprise9.29.2.0 to 9.2.49.2.5
Splunk Enterprise9.19.1.0 to 9.1.79.1.8
Splunk Cloud Platform9.3.24089.3.2408.100 to 9.3.2408.1039.3.2408.104
Splunk Cloud Platform9.2.24069.2.2406.100 to 9.2.2406.1079.2.2406.108
Splunk Cloud Platform9.2.2403Below 9.2.2403.1139.2.2403.114
Splunk Cloud Platform9.1.2312Below 9.1.2312.2079.1.2312.208

Mitigations and Workarounds

None

Detections

None

Severity

Splunk rates this vulnerability as a 8.0, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H.

Acknowledgments

Alex Hordijk (hordalex)