CVE-2025-20324 in Splunkinfo

Summary

by MITRE • 07/07/2025

In Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.7, and 9.1.10 and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, a low-privileged user that does not hold the "admin" or "power" Splunk roles could create or overwrite [system source type](https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.2/configure-source-types/create-source-types) configurations by sending a specially-crafted payload to the `/servicesNS/nobody/search/admin/sourcetypes/` REST endpoint on the Splunk management port.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/21/2025

This vulnerability exists within Splunk Enterprise and Splunk Cloud Platform installations where unauthorized users can manipulate system configuration through a specific REST API endpoint. The flaw allows low-privileged users to bypass normal access controls and modify critical system source type configurations that should typically require administrative privileges. The vulnerability specifically affects versions prior to the mentioned patched releases, creating a persistent security risk across multiple Splunk product lines. The exploitation occurs through a targeted payload sent to the `/servicesNS/nobody/search/admin/sourcetypes/` endpoint, which is part of Splunk's management interface and should normally enforce strict access controls based on user roles and permissions.

The technical implementation of this vulnerability stems from inadequate input validation and access control enforcement within Splunk's REST API framework. When a user sends a crafted request to the specified endpoint, the system fails to properly verify whether the requesting user possesses sufficient privileges to create or overwrite system-level source type configurations. This represents a classic privilege escalation vulnerability where a user with minimal permissions can gain elevated system access through manipulation of the application's configuration interface. The vulnerability manifests as a failure in the authorization mechanism that should prevent non-administrative users from modifying core system components. According to CWE classification, this corresponds to CWE-284: Improper Access Control, which specifically addresses insufficient access control mechanisms that allow unauthorized users to access protected resources or perform privileged operations.

The operational impact of this vulnerability extends beyond simple privilege escalation as it enables potential attackers to manipulate how Splunk processes and categorizes data inputs. By creating or overwriting system source types, an attacker could potentially alter how different data sources are interpreted, leading to data corruption, information disclosure, or even system instability. The ability to modify source type configurations affects the entire data ingestion pipeline and could allow an attacker to hide malicious activities by changing how data appears in Splunk searches or to disrupt normal operations by introducing malformed configurations. This vulnerability also creates opportunities for lateral movement within the Splunk environment, as attackers could use the modified configurations to establish persistence or to redirect data flows to malicious endpoints. From an ATT&CK framework perspective, this vulnerability maps to T1078: Valid Accounts and T1566: Phishing, as it allows for privilege escalation and can be used to establish more persistent access to the system.

Organizations affected by this vulnerability should immediately implement the recommended version upgrades to Splunk Enterprise 9.4.2 or later, and Splunk Cloud Platform 9.3.2411.104 or later. Additionally, network segmentation should be implemented to restrict access to Splunk management ports and endpoints, particularly limiting access to the specific REST API endpoints mentioned in the vulnerability. Organizations should also implement monitoring for unusual activity around the `/servicesNS/nobody/search/admin/sourcetypes/` endpoint, as unauthorized access attempts would likely generate anomalous API usage patterns. Regular security audits should verify that only authorized administrative users have access to system configuration endpoints, and that proper role-based access controls are enforced. The vulnerability highlights the critical importance of maintaining up-to-date security patches and implementing defense-in-depth strategies that include network access controls, monitoring, and regular security assessments to prevent exploitation of similar access control weaknesses.

Responsible

Cisco

Reservation

10/10/2024

Disclosure

07/07/2025

Moderation

accepted

CPE

ready

EPSS

0.00221

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!