Incorrect permission assignment on Universal Forwarder for Windows during new installation or upgrade

Advisory ID: SVD-2025-0602

CVE ID: CVE-2025-20298

Published: 2025-06-02

Last Update: 2025-07-11

CVSSv3.1 Score: 8.0, High

CWE: CWE-732

Bug ID: VULN-27637

Description

In Universal Forwarder for Windows versions below 9.4.2, 9.3.4, 9.2.6, and 9.1.9, a new installation of or an upgrade to an affected version can result in incorrect permissions assignment in the Universal Forwarder Installation directory (by default, C:\Program Files\SplunkUniversalForwarder). This lets non-administrator users on the machine access the directory and all its contents.

Solution

If you are using an English-language version of Windows, upgrade Splunk Universal Forwarder for Windows to version 9.4.2, 9.3.4, 9.2.6, 9.1.9, or higher.

Product Status

ProductBase VersionAffected VersionFix Version
Splunk/UniversalForwarder for Windows9.4Below 9.4.29.4.2
Splunk/UniversalForwarder for Windows9.3Below 9.3.49.3.4
Splunk/UniversalForwarder for Windows9.2Below 9.2.69.2.6
Splunk/UniversalForwarder for Windows9.1Below 9.1.99.1.9

Mitigations and Workarounds

Perform the mitigation specified below for either of the following scenarios:
1. If you are using an English-language version of Windows, and you are not able to upgrade to a Splunk Universal Forwarder for Windows fixed version
2. If you are using a non-English language version of Windows

From the command prompt or a PowerShell window, run the following command as a Windows system administrator after installing or upgrading the Splunk Universal Forwarder for Windows:

icacls.exe "<path\to\installation\directory>" /remove:g *BU /C

Note: The available Splunk Universal Forwarder for Windows fixed versions apply to installed English-language versions of Windows only. Changing the language of an already installed non-English Windows system is not sufficient, you must run the specified command to fix this issue on non-English Windows systems.

Detections

None

Severity

Splunk rates this vulnerability a 8.0, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H.

Changelog

  • 2025-07-11: Updated ‘Solution’ and ‘Mitigations and Workarounds’ with Windows language-specific guidance.