Platform
splunk
Component
sa-ldapsearch
Fixed in
3.1.1
CVE-2025-0367 describes a Denial of Service (DoS) vulnerability discovered in the Splunk Supporting Add-on for Active Directory (SA-ldapsearch). This vulnerability stems from a flawed regular expression pattern that can be exploited to trigger a Regular Expression Denial of Service (ReDoS) attack. The vulnerability impacts versions 3.1.0 and earlier of the add-on, and a fix is available in version 3.1.1.
An attacker exploiting CVE-2025-0367 can induce a ReDoS attack by crafting malicious LDAP queries. This attack can exhaust system resources, leading to a denial of service, effectively preventing the Splunk add-on from properly monitoring Active Directory. The impact extends beyond simple service disruption; prolonged DoS conditions can hinder security incident detection and response, potentially masking other malicious activity. Successful exploitation could also impact the stability of the Splunk platform itself, depending on the add-on's integration and resource usage.
CVE-2025-0367 was publicly disclosed on 2025-01-30. There is no indication of active exploitation campaigns targeting this vulnerability at this time. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are not widely available, but the ReDoS nature of the vulnerability makes it potentially attractive to attackers with regular expression expertise.
Exploit Status
EPSS
0.19% (41% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-0367 is to upgrade the Splunk Supporting Add-on for Active Directory to version 3.1.1 or later, which contains the fix for the vulnerable regular expression. If immediate upgrading is not feasible, consider implementing input validation on LDAP queries to filter out potentially malicious patterns. While not a complete solution, this can reduce the attack surface. Monitor system resource usage (CPU, memory) for unusual spikes, which could indicate a ReDoS attack in progress. After upgrading, confirm functionality by verifying that Active Directory monitoring is operating as expected and that LDAP queries are processed without excessive latency.
Update the Splunk Supporting Add-on for Active Directory to version 3.1.1 or higher. This version corrects the ReDoS vulnerability in the regular expression. You can download the latest version from the Splunk website or through the Splunk administration interface.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-0367 is a medium-severity Denial of Service vulnerability in Splunk Supporting Add-on for Active Directory versions 3.1.0–3.1.1, caused by a vulnerable regular expression pattern.
If you are using Splunk Supporting Add-on for Active Directory version 3.1.0 or earlier, you are potentially affected by this vulnerability.
Upgrade to version 3.1.1 or later of the Splunk Supporting Add-on for Active Directory to resolve the vulnerability. Consider input validation as a temporary workaround.
There is currently no evidence of active exploitation campaigns targeting CVE-2025-0367, but the ReDoS nature makes it potentially attractive to attackers.
Refer to the official Splunk security advisory for detailed information and updates regarding CVE-2025-0367: [https://splunk.com/security/advisories](https://splunk.com/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.