Plattform
splunk
Komponente
sa-ldapsearch
Behoben in
3.1.1
CVE-2025-0367 describes a Denial of Service (DoS) vulnerability discovered in the Splunk Supporting Add-on for Active Directory (SA-ldapsearch). This vulnerability stems from a flawed regular expression pattern that can be exploited to trigger a Regular Expression Denial of Service (ReDoS) attack. The vulnerability impacts versions 3.1.0 and earlier of the add-on, and a fix is available in version 3.1.1.
An attacker could exploit this vulnerability to cause a denial of service within the Splunk environment, specifically impacting the Active Directory monitoring functionality provided by the add-on. A ReDoS attack works by crafting input that forces the regular expression engine to consume excessive resources, leading to a system slowdown or complete crash. This could disrupt critical security monitoring and alerting, potentially masking other malicious activity. The blast radius is limited to the Splunk instance and its ability to process Active Directory data, but the impact on security visibility can be significant.
CVE-2025-0367 was publicly disclosed on January 30, 2025. There is no indication of active exploitation or KEV listing at the time of writing. Public proof-of-concept code is not currently available, but the ReDoS nature of the vulnerability makes it likely that such code will emerge. The CVSS score of 6.5 (MEDIUM) suggests a moderate probability of exploitation.
Organizations heavily reliant on Splunk for Active Directory monitoring are particularly at risk. Environments with complex Active Directory structures and frequent LDAP queries are more susceptible to DoS attacks. Security teams using the Splunk Supporting Add-on for Active Directory to automate security tasks or incident response are also at heightened risk, as a DoS condition could disrupt these critical functions.
• linux / server: Monitor system resource usage (CPU, memory) for unusual spikes, especially during LDAP query processing. Use top, htop, or similar tools to identify processes consuming excessive resources.
top• linux / server: Examine Splunk logs for errors related to LDAP queries or regular expression processing. Look for patterns indicative of excessive backtracking or resource exhaustion.
journalctl -u splunk | grep -i "regex" -i "ldap"• generic web: If the add-on exposes any web interfaces, monitor for unusual request patterns or error rates that might correlate with LDAP query processing.
disclosure
Exploit-Status
EPSS
0.19% (41% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-0367 is to upgrade the Splunk Supporting Add-on for Active Directory to version 3.1.1 or later. If an immediate upgrade is not feasible due to compatibility concerns or testing requirements, consider isolating the affected add-on instance to limit potential impact. While a direct WAF rule is unlikely to be effective against ReDoS, monitoring Splunk logs for excessive regex processing times can provide an early warning sign. After upgrading, confirm the fix by verifying that Active Directory monitoring functions normally and that no unusual resource consumption is observed during LDAP queries.
Actualice el Splunk Supporting Add-on for Active Directory a la versión 3.1.1 o superior. Esta versión corrige la vulnerabilidad ReDoS en la expresión regular. Puede descargar la versión más reciente desde el sitio web de Splunk o a través de la interfaz de administración de Splunk.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-0367 is a medium-severity Denial of Service vulnerability in Splunk Supporting Add-on for Active Directory versions 3.1.0–3.1.1, caused by a vulnerable regular expression pattern.
If you are using Splunk Supporting Add-on for Active Directory version 3.1.0 or earlier, you are potentially affected by this vulnerability.
Upgrade to version 3.1.1 or later of the Splunk Supporting Add-on for Active Directory to resolve the vulnerability. Consider input validation as a temporary workaround.
There is currently no evidence of active exploitation campaigns targeting CVE-2025-0367, but the ReDoS nature makes it potentially attractive to attackers.
Refer to the official Splunk security advisory for detailed information and updates regarding CVE-2025-0367: [https://splunk.com/security/advisories](https://splunk.com/security/advisories)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.