CVE-2025-20366 in Splunk
Summary
by MITRE • 10/01/2025
In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.111, 9.3.2408.119, and 9.2.2406.122, a low-privileged user that does not hold the admin or power Splunk roles could access sensitive search results if Splunk Enterprise runs an administrative search job in the background. If the low privileged user guesses the search job’s unique Search ID (SID), the user could retrieve the results of that job, potentially exposing sensitive search results. For more information see https://help.splunk.com/en/splunk-enterprise/search/search-manual/10.0/manage-jobs/about-jobs-and-job-management and https://help.splunk.com/en/splunk-enterprise/search/search-manual/10.0/manage-jobs/manage-search-jobs.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 10/04/2025
This vulnerability exists within Splunk Enterprise and Splunk Cloud Platform implementations where insufficient access controls permit low-privileged users to potentially retrieve administrative search results through predictable job identification. The flaw stems from the predictable nature of search job identifiers that allow unauthorized users to guess or enumerate valid Search IDs. When administrative search jobs execute in the background, they maintain accessible result sets that should normally be restricted to users with appropriate administrative privileges. This represents a classic privilege escalation vector through information disclosure, where the lack of proper access control enforcement on search job results creates an unintended information flow from high-privilege operations to low-privileged users.
The technical implementation of this vulnerability involves the predictable generation of search job identifiers that do not adequately randomize or secure the unique identifiers used to reference background search operations. When Splunk Enterprise executes administrative searches, these operations create job entries in the system that maintain access to sensitive data and search results. The system fails to properly enforce access controls when users attempt to retrieve results using valid but publicly guessable Search IDs. This weakness aligns with CWE-284 Access Control Issues, specifically the improper access control mechanism that allows unauthorized information disclosure. The vulnerability operates under the principle that search job identifiers should not be predictable or guessable, as they serve as potential attack vectors for unauthorized data access.
The operational impact of this vulnerability extends beyond simple information disclosure to potentially expose sensitive operational data, security monitoring results, and potentially confidential system information that administrative users would normally access only through proper administrative channels. Attackers could leverage this vulnerability to gain insights into system operations, security events, and potentially sensitive data that would otherwise remain protected within administrative search contexts. The risk is particularly elevated in environments where Splunk is used for security monitoring, compliance reporting, or operational intelligence, as these scenarios often involve highly sensitive data that should remain restricted to authorized personnel. This vulnerability can be exploited through passive reconnaissance to identify valid SIDs and then retrieve results that would normally require administrative privileges.
Organizations should implement immediate mitigations including upgrading to the patched versions of Splunk Enterprise and Cloud Platform as specified in the advisory, ensuring proper access controls are enforced on search job results, and implementing monitoring for suspicious search job access patterns. The recommended remediation strategy involves applying the vendor patches that address the predictable search job identifier generation and enhance access control enforcement. Additionally, system administrators should review and tighten access controls around administrative search operations, implement proper logging of search job access attempts, and consider implementing additional entropy in search job identifier generation to prevent predictable patterns. This vulnerability demonstrates the importance of proper access control design in distributed monitoring systems and aligns with ATT&CK technique T1078 Valid Accounts and T1566 Phishing to maintain persistent access to sensitive system information. Organizations should also consider implementing network segmentation and monitoring to detect unauthorized access attempts to administrative search results and ensure proper audit logging is enabled for all search job operations.