Denial of Service (DoS) through Multiple LDAP Bind Requests in Splunk Enterprise
Advisory ID: SVD-2025-1005
CVE ID: CVE-2025-20370
Published: 2025-10-01
Last Update: 2025-10-01
CVSSv3.1 Score: 4.9, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
Bug ID: VULN-5472
Description
In Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6, and 9.2.8, a user who holds a role that contains the high-privilege capability change_authentication, could send multiple LDAP bind requests to a specific internal endpoint, resulting in high server CPU usage, which could potentially lead to a denial of service (DoS) until the Splunk Enterprise instance is restarted.
See Define roles on the Splunk platform with capabilities and Configuring LDAP for more information.
Solution
Upgrade Splunk Enterprise to versions 10.0.1, 9.4.4, 9.3.6, 9.2.8, or higher.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
| Product | Base Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 10.0 | Splunk Web | 10.0.0 | 10.0.1 |
| Splunk Enterprise | 9.4 | Splunk Web | 9.4.0 to 9.4.3 | 9.4.4 |
| Splunk Enterprise | 9.3 | Splunk Web | 9.3.0 to 9.3.5 | 9.3.6 |
| Splunk Enterprise | 9.2 | Splunk Web | 9.2.0 to 9.2.7 | 9.2.8 |
| Splunk Enterprise Cloud | 9.3.2411 | Splunk Web | Below 9.3.2411.108 | 9.3.2411.108 |
| Splunk Enterprise Cloud | 9.3.2408 | Splunk Web | Below 9.3.2408.118 | 9.3.2408.118 |
| Splunk Enterprise Cloud | 9.2.2406 | Splunk Web | Below 9.2.2406.123 | 9.2.2406.123 |
Mitigations and Workarounds
If upgrading to a fixed version is not possible, remove the high-privilege capability, change_authentication, from the user’s role. See Define roles on the Splunk platform with capabilities.
Additionally, the vulnerability affects instances with Splunk Web turned on, turning Splunk Web off is a possible workaround. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on turning Splunk Web off.
Detections
None
Severity
Splunk rates this vulnerability a 4.9, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H.
Acknowledgments
STÖK / Fredrik Alexandersson