Remote Command Execution through Scripted Input Files in Splunk Enterprise
Advisory ID: SVD-2025-0702
CVE ID: CVE-2025-20319
Published: 2025-07-07
Last Update: 2025-07-07
CVSSv3.1 Score: 6.8, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Bug ID: VULN-25818
Description
In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, a user who holds a role that contains the high-privilege capability edit_scripted and list_inputs capability , could perform a remote command execution due to improper user input sanitization on the scripted input files.
See Define roles on the Splunk platform with capabilities and Setting up a scripted input for more information.
Solution
Upgrade Splunk Enterprise to versions 9.4.3, 9.3.5, 9.2.7, 9.1.10, or higher.
Product Status
| Product | Base Version | Affected Version | Fix Version |
|---|---|---|---|
| Splunk Enterprise | 9.4 | 9.4.0 to 9.4.2 | 9.4.3 |
| Splunk Enterprise | 9.3 | 9.3.0 to 9.3.4 | 9.3.5 |
| Splunk Enterprise | 9.2 | 9.2.0 to 9.2.6 | 9.2.7 |
| Splunk Enterprise | 9.1 | 9.1.0 to 9.1.9 | 9.1.10 |
Mitigations and Workarounds
If upgrading to a fixed version is not possible, remove the high-privilege capability edit_scripted from the user role.
See Define roles on the Splunk platform with capabilities.
Detections
None
Severity
Splunk rates this vulnerability a 6.8, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.