Sensitive Information Disclosure in “_internal“ index through Splunk Add-On for Palo Alto Networks
Advisory ID: SVD-2025-1105
CVE ID: CVE-2025-20373
Published: 2025-11-26
Last Update: 2025-11-26
CVSSv3.1 Score: 2.7, Low
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-532
Bug ID: VULN-43964
Description
In Splunk Add-on for Palo Alto Networks versions below 2.0.2, the add-on exposes client secrets in plain text in the “_internal“ index during the addition of new “Data Security Accounts“.
The vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. See Define roles on the Splunk platform with capabilities in the Splunk documentation for more information.
Solution
Upgrade Splunk Add-On for Palo Alto Networks to version 2.0.2, 3.0.0, or higher and determine if any credentials are exposed in plain text:
1. In Search and Reporting, search for index="_internal" sourcetype="splunk_ta_paloalto_networks*"
2. Immediately generate a new client_idandclient_secret as needed, and revoke any that have been exposed as a result of this vulnerability.
Product Status
| Product | Base Version | Affected Version | Fix Version |
|---|---|---|---|
| Splunk Add-on for Palo Alto Networks | 2.0 | Below 2.0.2 | 2.0.2 |
Mitigations and Workarounds
None
Detections
None
Severity
Splunk rates this vulnerability a 2.7, Low, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N.
If you do not use Splunk Add-On for Palo Alto Networks then, there should be no impact and the severity would be Informational.
Acknowledgments
Vignesh Subramanian, Splunk