Sensitive Information Disclosure in the SHCConfig logging channel in Clustered Deployments in Splunk Enterprise
Advisory ID: SVD-2025-0709
CVE ID: CVE-2025-20325
Published: 2025-07-07
Last Update: 2025-07-07
CVSSv3.1 Score: 3.1, Low
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-200
Bug ID: VULN-27686
Description
In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.103, 9.3.2408.113, and 9.2.2406.119, the software potentially exposes the search head cluster splunk.secret key. This exposure could happen if you have a Search Head cluster and you configure the Splunk Enterprise SHCConfig log channel at the DEBUG logging level in the clustered deployment.
The vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. Review roles and capabilities on your instance and restrict internal index access to administrator-level roles.
See Define roles on the Splunk platform with capabilities, Deploy a search head cluster, Deploy secure passwords across multiple servers and Set a security key for the search head cluster for more information.
Solution
There are multiple solutions depending on how you have configured the Splunk Enterprise instance SHCConfig log channel.
First, determine whether or not you have a Search Head cluster.
If you have a Search Head cluster, determine whether or not the SHCConfig log channel is at the DEBUG logging level. You must log into the Splunk Enterprise instance as an admin user or equivalent to perform these actions. To determine the log channel logging mode on the instance:
1. In a web browser, visit the Server Logging Settings page in Splunk Web at /en-US/manager/system/server/logger.
2. Review the Logging Level column on the page that loads. If the SHCConfig row in this column shows DEBUG as the logging level, then the Splunk Enterprise SHCConfig log channel is in debug mode. Otherwise, it is not in debug mode.
See Enable debug logging for more information.
If the previous steps determine that debug logging is active for theSHCConfiglog channel, then remedy the problem by performing the following tasks:
1. Upgrade Splunk Enterprise to versions 9.4.3, 9.3.5, 9.2.7, and 9.1.10, or higher.
2. Update the splunk.secret key file. See Update the splunk.secret key file on instances to use the new cipher for more information.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
| Product | Base Version | Affected Version | Fix Version |
|---|---|---|---|
| Splunk Enterprise | 9.4 | 9.4.0 to 9.4.2 | 9.4.3 |
| Splunk Enterprise | 9.3 | 9.3.0 to 9.3.4 | 9.3.5 |
| Splunk Enterprise | 9.2 | 9.2.0 to 9.2.6 | 9.2.7 |
| Splunk Enterprise | 9.1 | 9.1.0 to 9.1.9 | 9.1.10 |
| Splunk Cloud Platform | 9.3.2411 | Below 9.3.2411.103 | 9.3.2411.103 |
| Splunk Cloud Platform | 9.3.2408 | Below 9.3.2408.113 | 9.3.2408.113 |
| Splunk Cloud Platform | 9.2.2406 | Below 9.2.2406.119 | 9.2.2406.119 |
Mitigations and Workarounds
If it isn’t currently possible to upgrade to a fixed version of Splunk Enterprise, you can remedy the vulnerability by doing the following:
1. Configure the SHCConfig log channel to a logging level that is less verbose than DEBUG.
2. Update the splunk.secret key file. See Update the splunk.secret key file on instances to use the new cipher for more information.
Detections
None
Severity
Splunk rates this vulnerability a 3.1, Low, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N.
If you have a Search Head cluster and/or debug logging enabled for the SHCConfig log channel then there should be no impact and the severity would be Informational.