Incorrect permission assignment on Universal Forwarder for Windows during new installation or upgrade

Description

In Universal Forwarder for Windows versions below 9.4.2, 9.3.4, 9.2.6, and 9.1.9, a new installation of or an upgrade to an affected version can result in incorrect permissions assignment in the Universal Forwarder Installation directory (by default, C:\Program Files\SplunkUniversalForwarder). This lets non-administrator users on the machine access the directory and all its contents.

Solution

If you are using an English-language version of Windows, upgrade Splunk Universal Forwarder for Windows to version 9.4.2, 9.3.4, 9.2.6, 9.1.9, or higher.

Product Status

Mitigations and Workarounds

Perform the mitigation specified below for either of the following scenarios:
1. If you are using an English-language version of Windows, and you are not able to upgrade to a Splunk Universal Forwarder for Windows fixed version
2. If you are using a non-English language version of Windows

From the command prompt or a PowerShell window, run the following command as a Windows system administrator after installing or upgrading the Splunk Universal Forwarder for Windows:

icacls.exe "<path\to\installation\directory>" /remove:g *BU /C

Note: The available Splunk Universal Forwarder for Windows fixed versions apply to installed English-language versions of Windows only. Changing the language of an already installed non-English Windows system is not sufficient, you must run the specified command to fix this issue on non-English Windows systems.

Detections

None

Severity

Splunk rates this vulnerability a 8.0, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H.

Changelog

• 2025-07-11: Updated ‘Solution’ and ‘Mitigations and Workarounds’ with Windows language-specific guidance.