Improper Access Control in System Source Types Configuration in Splunk Enterprise
Advisory ID: SVD-2025-0707
CVE ID: CVE-2025-20324
Published: 2025-07-07
Last Update: 2025-07-07
CVSSv3.1 Score: 5.4, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CWE: CWE-284
Bug ID: VULN-25715
Description
In Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.7, and 9.1.10 and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, a low-privileged user that does not hold the “admin” or “power” Splunk roles could create or overwrite system source type configurations by sending a specially-crafted payload to the /servicesNS/nobody/search/admin/sourcetypes/ REST endpoint on the Splunk management port.
Solution
Upgrade Splunk Enterprise to versions 9.4.2, 9.3.5, 9.2.7, 9.1.10, or higher.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
| Product | Base Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 9.4 | REST API | 9.4.0 to 9.4.1 | 9.4.2 |
| Splunk Enterprise | 9.3 | REST API | 9.3.0 to 9.3.4 | 9.3.5 |
| Splunk Enterprise | 9.2 | REST API | 9.2.0 to 9.2.6 | 9.2.7 |
| Splunk Enterprise | 9.1 | REST API | 9.1.0 to 9.1.9 | 9.1.10 |
| Splunk Enterprise Cloud | 9.3.2411 | REST API | Below 9.3.2411.104 | 9.3.2411.104 |
| Splunk Enterprise Cloud | 9.3.2408 | REST API | Below 9.3.2408.113 | 9.3.2408.113 |
| Splunk Enterprise Cloud | 9.2.2406 | REST API | Below 9.2.2406.119 | 9.2.2406.119 |
Mitigations and Workarounds
None
Detections
None
Severity
Splunk rates this vulnerability a 5.4, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N.