Incorrect permission assignment on Universal Forwarder for Windows during new installation or upgrade
Advisory ID: SVD-2025-0602
CVE ID: CVE-2025-20298
Published: 2025-06-02
Last Update: 2025-07-11
CVSSv3.1 Score: 8.0, High
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-732
Bug ID: VULN-27637
Description
In Universal Forwarder for Windows versions below 9.4.2, 9.3.4, 9.2.6, and 9.1.9, a new installation of or an upgrade to an affected version can result in incorrect permissions assignment in the Universal Forwarder Installation directory (by default, C:\Program Files\SplunkUniversalForwarder). This lets non-administrator users on the machine access the directory and all its contents.
Solution
If you are using an English-language version of Windows, upgrade Splunk Universal Forwarder for Windows to version 9.4.2, 9.3.4, 9.2.6, 9.1.9, or higher.
Product Status
Product | Base Version | Affected Version | Fix Version |
---|---|---|---|
Splunk/UniversalForwarder for Windows | 9.4 | Below 9.4.2 | 9.4.2 |
Splunk/UniversalForwarder for Windows | 9.3 | Below 9.3.4 | 9.3.4 |
Splunk/UniversalForwarder for Windows | 9.2 | Below 9.2.6 | 9.2.6 |
Splunk/UniversalForwarder for Windows | 9.1 | Below 9.1.9 | 9.1.9 |
Mitigations and Workarounds
Perform the mitigation specified below for either of the following scenarios:
1. If you are using an English-language version of Windows, and you are not able to upgrade to a Splunk Universal Forwarder for Windows fixed version
2. If you are using a non-English language version of Windows
From the command prompt or a PowerShell window, run the following command as a Windows system administrator after installing or upgrading the Splunk Universal Forwarder for Windows:icacls.exe "<path\to\installation\directory>" /remove:g *BU /C
Note: The available Splunk Universal Forwarder for Windows fixed versions apply to installed English-language versions of Windows only. Changing the language of an already installed non-English Windows system is not sufficient, you must run the specified command to fix this issue on non-English Windows systems.
Detections
None
Severity
Splunk rates this vulnerability a 8.0, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H.
Changelog
- 2025-07-11: Updated ‘Solution’ and ‘Mitigations and Workarounds’ with Windows language-specific guidance.