Improper Access Control in System Source Types Configuration in Splunk Enterprise

Advisory ID: SVD-2025-0707

CVE ID: CVE-2025-20324

Published: 2025-07-07

Last Update: 2025-07-07

CVSSv3.1 Score: 5.4, Medium

CWE: CWE-284

Bug ID: VULN-25715

Description

In Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.7, and 9.1.10 and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, a low-privileged user that does not hold the “admin” or “power” Splunk roles could create or overwrite system source type configurations by sending a specially-crafted payload to the /servicesNS/nobody/search/admin/sourcetypes/ REST endpoint on the Splunk management port.

Solution

Upgrade Splunk Enterprise to versions 9.4.2, 9.3.5, 9.2.7, 9.1.10, or higher.

Splunk is actively monitoring and patching Splunk Cloud Platform instances.

Product Status

ProductBase VersionComponentAffected VersionFix Version
Splunk Enterprise9.4REST API9.4.0 to 9.4.19.4.2
Splunk Enterprise9.3REST API9.3.0 to 9.3.49.3.5
Splunk Enterprise9.2REST API9.2.0 to 9.2.69.2.7
Splunk Enterprise9.1REST API9.1.0 to 9.1.99.1.10
Splunk Enterprise Cloud9.3.2411REST APIBelow 9.3.2411.1049.3.2411.104
Splunk Enterprise Cloud9.3.2408REST APIBelow 9.3.2408.1139.3.2408.113
Splunk Enterprise Cloud9.2.2406REST APIBelow 9.2.2406.1199.2.2406.119

Mitigations and Workarounds

None

Detections

None

Severity

Splunk rates this vulnerability a 5.4, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N.