Remote Code Execution through file upload to “$SPLUNK_HOME/var/run/splunk/apptemp“ directory in Splunk Enterprise

Advisory ID: SVD-2025-0301

CVE ID: CVE-2025-20229

Published: 2025-03-26

Last Update: 2025-03-26

CVSSv3.1 Score: 8.0, High

CWE: CWE-284

Bug ID: VULN-19218

Description

In Splunk Enterprise versions below 9.3.3, 9.2.5, and 9.1.8, and Splunk Cloud Platform versions below 9.3.2408.104, 9.2.2406.108, 9.2.2403.114, and 9.1.2312.208, a low-privileged user that does not hold the “admin” or “power” Splunk roles could perform a Remote Code Execution (RCE) through a file upload to the “$SPLUNK_HOME/var/run/splunk/apptemp” directory due to missing authorization checks.

Solution

Upgrade Splunk Enterprise to versions 9.4.0, 9.3.3, 9.2.5, 9.1.8, or higher.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise9.49.4.0
Splunk Enterprise9.39.3.0 to 9.3.29.3.3
Splunk Enterprise9.29.2.0 to 9.2.49.2.5
Splunk Enterprise9.19.1.0 to 9.1.79.1.8
Splunk Cloud Platform9.3.2408Splunk Web9.3.2408.100 to 9.3.2408.1039.3.2408.104
Splunk Cloud Platform9.2.2406Splunk Web9.2.2406.100 to 9.2.2406.1079.2.2406.108
Splunk Cloud Platform9.2.2403Splunk WebBelow 9.2.2403.1139.2.2403.114
Splunk Cloud Platform9.1.2312Splunk WebBelow 9.1.2312.2079.1.2312.208

Mitigations and Workarounds

None

Detections

None

Severity

Splunk rates this vulnerability as a 8.0, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H.

Acknowledgments

Alex Hordijk (hordalex)