Platform
splunk
Component
splunk-enterprise
Fixed in
10.0.1
9.4.4
9.3.6
9.2.8
9.3.2411.109
9.3.2408.119
9.2.2406.122
CVE-2025-20371 describes a server-side request forgery (SSRF) vulnerability affecting Splunk Enterprise and Splunk Cloud Platform. This vulnerability allows an unauthenticated attacker to potentially trigger REST API calls on behalf of a high-privileged, authenticated user, leading to unauthorized access and potential data exfiltration. Affected versions include Splunk Enterprise versions prior to 10.0.1, 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions prior to 9.3.2411.109, 9.3.2408.119, and 9.2.2406.122. A fix is available in Splunk Enterprise 10.0.1.
The SSRF vulnerability in Splunk Enterprise allows an attacker to craft malicious requests that are processed by the Splunk server. Because the attacker can control the destination of these requests, they can potentially access internal resources that are not directly exposed to the internet. The ability to execute REST API calls on behalf of a high-privileged user significantly amplifies the impact. An attacker could leverage this to modify configurations, access sensitive data, or even escalate privileges within the Splunk environment. This could lead to data breaches, system compromise, and disruption of Splunk services. The potential for lateral movement within the network is also a concern, as the attacker could use the SSRF vulnerability to probe and access other internal systems.
CVE-2025-20371 was publicly disclosed on October 1, 2025. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the SSRF nature of the vulnerability makes it likely that exploits will emerge. The CVSS score of 7.5 (HIGH) indicates a significant risk, and organizations should prioritize remediation.
Exploit Status
EPSS
0.08% (23% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-20371 is to upgrade to a patched version of Splunk Enterprise or Splunk Cloud Platform. Specifically, upgrade to Splunk Enterprise 10.0.1 or later, 9.4.4 or later, 9.3.6 or later, 9.2.8 or later, or Splunk Cloud Platform 9.3.2411.109 or later, 9.3.2408.119 or later, and 9.2.2406.122 or later. If immediate upgrade is not possible, consider implementing temporary workarounds such as restricting outbound network access from the Splunk server using a Web Application Firewall (WAF) or proxy to block suspicious requests. Review and tighten Splunk's internal access controls to limit the privileges of high-privileged users. After upgrading, verify the fix by attempting to trigger an SSRF request and confirming that it is blocked.
Update Splunk Enterprise to version 10.0.1, 9.4.4, 9.3.6, 9.2.8 or later. For Splunk Cloud Platform, update to version 9.3.2411.109, 9.3.2408.119, 9.2.2406.122 or later. This corrects the SSRF vulnerability that allows unauthenticated attackers to make REST API calls on behalf of high-privileged users.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-20371 is a server-side request forgery vulnerability in Splunk Enterprise versions below 10.0.1, allowing unauthenticated attackers to potentially trigger REST API calls on behalf of high-privileged users.
You are affected if you are running Splunk Enterprise versions prior to 10.0.1, 9.4.4, 9.3.6, 9.2.8, or Splunk Cloud Platform versions prior to 9.3.2411.109, 9.3.2408.119, and 9.2.2406.122.
Upgrade to Splunk Enterprise 10.0.1 or later, 9.4.4 or later, 9.3.6 or later, 9.2.8 or later, or Splunk Cloud Platform 9.3.2411.109 or later, 9.3.2408.119 or later, and 9.2.2406.122 or later.
While no active exploitation has been confirmed, the SSRF nature of the vulnerability suggests it is likely to be targeted, and organizations should prioritize remediation.
Refer to the official Splunk security advisory for CVE-2025-20371 on the Splunk website (link to be added when available).
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.