Platform
splunk
Component
splunk-enterprise
Fixed in
9.3.1
9.2.3
9.1.6
CVE-2024-45731 describes an Arbitrary File Access vulnerability discovered in Splunk Enterprise for Windows. This flaw allows a low-privileged user, lacking administrative privileges, to write files to the Windows system root directory, specifically the System32 folder, when Splunk Enterprise for Windows is installed on a separate drive. The vulnerability impacts versions 9.1 through 9.3.0, and a fix is available in versions 9.3.1, 9.2.3, and 9.1.6.
The impact of this vulnerability is significant, as it allows unauthorized file writes to a critical system directory. An attacker could leverage this to execute malicious code, modify system files, or disrupt Splunk Enterprise operations. While the attacker requires a low-privileged account, the ability to write to System32 bypasses standard access controls and poses a serious risk. Successful exploitation could lead to system instability, data corruption, or even remote code execution depending on the content of the written file. This vulnerability is particularly concerning in environments where Splunk is used for sensitive data analysis, as it could provide a pathway for attackers to gain deeper access to the system.
This vulnerability was publicly disclosed on 2024-10-14. There is currently no indication of active exploitation in the wild, and it is not listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet available, but the ease of exploitation (requiring only a low-privileged account) suggests that it could become a target for opportunistic attackers.
Exploit Status
EPSS
0.78% (74% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-45731 is to upgrade Splunk Enterprise for Windows to version 9.3.1, 9.2.3, or 9.1.6. If an immediate upgrade is not feasible, consider restricting file system permissions for the Splunk user account to prevent write access to the System32 directory. While not a complete solution, this can limit the potential impact. Additionally, review Splunk's access control configuration to ensure that only authorized users have access to sensitive data and functionalities. After upgrading, verify the fix by attempting to create a file in the System32 directory using a low-privileged Splunk user account; the operation should fail.
Actualice Splunk Enterprise a la versión 9.3.1, 9.2.3 o 9.1.6 o superior. Esto corrige la vulnerabilidad que permite la escritura arbitraria de archivos en el directorio raíz del sistema Windows. La actualización mitiga el riesgo de ejecución remota de comandos.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-45731 is a HIGH severity vulnerability allowing low-privileged users to write files to the Windows System32 directory in Splunk Enterprise versions 9.1–9.3.0, potentially leading to system instability or code execution.
You are affected if you are running Splunk Enterprise for Windows versions 9.1, 9.2, or 9.3.0. Upgrade to 9.3.1, 9.2.3, or 9.1.6 to mitigate the risk.
Upgrade Splunk Enterprise for Windows to version 9.3.1, 9.2.3, or 9.1.6. As a temporary workaround, restrict file system permissions for the Splunk user account.
There is currently no evidence of active exploitation in the wild, but the vulnerability's ease of exploitation suggests it could become a target.
Refer to the official Splunk Security Advisory: [https://capital.splunk.com/#!/advisory/SPL-24-033](https://capital.splunk.com/#!/advisory/SPL-24-033)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.