Incorrect permissions assignment on Splunk Universal Forwarder for Windows during new installation or upgrade
Advisory ID: SVD-2025-1206
CVE ID: CVE-2025-20387
Published: 2025-12-03
Last Update: 2025-12-03
CVSSv3.1 Score: 8.0, High
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-732
Bug ID: VULN-39497
Description
In Splunk Universal Forwarder for Windows versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, a new installation of or an upgrade to an affected version can result in incorrect permissions assignment in the Universal Forwarder for Windows Installation directory (by default, C:\Program Files\SplunkUniversalForwarder). This lets non-administrator users on the machine access the directory and all its contents.
Solution
Upgrade Splunk Universal Forwarder to versions 10.0.2, 9.4.6, 9.3.8, 9.2.10, or higher.
Product Status
| Product | Base Version | Affected Version | Fix Version |
|---|---|---|---|
| Splunk Enterprise | 10.0 | Below 10.0.2 | 10.0.2 |
| Splunk Enterprise | 9.4 | 9.4.0 to 9.4.5 | 9.4.6 |
| Splunk Enterprise | 9.3 | 9.3.0 to 9.3.7 | 9.3.8 |
| Splunk Enterprise | 9.2 | 9.2.0 to 9.2.9 | 9.2.10 |
Mitigations and Workarounds
Perform the following mitigation if you are not able to upgrade to a fixed Splunk Universal Forwarder for Windows version.
From the command prompt or a PowerShell window, run the following commands in the following order, as a Windows system administrator, after installing or upgrading Splunk Universal Forwarder for Windows:
1. icacls.exe "<path\to\installation\directory>" /inheritance:d
2. icacls.exe "<path\to\installation\directory>" /remove:g *BU /T /C
3. icacls.exe "<path\to\installation\directory>" /remove:g *S-1-5-11 /T /C
4. icacls.exe "<path\to\installation\directory>" /inheritance:e /T /C
Detections
None
Severity
Splunk rates this vulnerability a 8.0, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H.