Remote Command Execution through Scripted Input Files in Splunk Enterprise

Advisory ID: SVD-2025-0702

CVE ID: CVE-2025-20319

Published: 2025-07-07

Last Update: 2025-07-07

CVSSv3.1 Score: 6.8, Medium

CWE: CWE-78

Bug ID: VULN-25818

Description

In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, a user who holds a role that contains the high-privilege capability edit_scripted and list_inputs capability , could perform a remote command execution due to improper user input sanitization on the scripted input files.

See Define roles on the Splunk platform with capabilities and Setting up a scripted input for more information.

Solution

Upgrade Splunk Enterprise to versions 9.4.3, 9.3.5, 9.2.7, 9.1.10, or higher.

Product Status

ProductBase VersionAffected VersionFix Version
Splunk Enterprise9.49.4.0 to 9.4.29.4.3
Splunk Enterprise9.39.3.0 to 9.3.49.3.5
Splunk Enterprise9.29.2.0 to 9.2.69.2.7
Splunk Enterprise9.19.1.0 to 9.1.99.1.10

Mitigations and Workarounds

If upgrading to a fixed version is not possible, remove the high-privilege capability edit_scripted from the user role.
See Define roles on the Splunk platform with capabilities.

Detections

None

Severity

Splunk rates this vulnerability a 6.8, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.