प्लेटफ़ॉर्म
splunk
घटक
splunk-enterprise
में ठीक किया गया
10.0.1
9.4.6
9.3.8
9.2.10
10.1.2507.4
10.0.2503.6
9.3.2411.116
CVE-2025-20388 describes a Server-Side Request Forgery (SSRF) vulnerability affecting Splunk Enterprise and Cloud Platform. An attacker with a role containing the change_authentication high privilege capability can leverage this flaw to enumerate internal IP addresses and network ports when adding new search peers. This vulnerability impacts versions of Splunk Enterprise ≤10.1.2507.4 and Splunk Cloud Platform versions below 10.1.2507.4, 10.0.2503.7, and 9.3.2411.116. A fix is available in version 10.1.2507.4.
This SSRF vulnerability allows a malicious actor with elevated privileges within a Splunk environment to perform internal network reconnaissance. Specifically, an attacker possessing the change_authentication role can add new search peers and, during this process, trigger requests to internal IP addresses and ports. This enables them to map the internal network topology, identify running services, and potentially discover sensitive information residing on internal systems. The blast radius is limited to the internal network accessible from the Splunk search head, but successful exploitation could lead to further compromise if internal systems are vulnerable. While direct data exfiltration isn't possible through this SSRF, it provides a crucial foothold for lateral movement and reconnaissance.
CVE-2025-20388 is not currently listed on the CISA KEV catalog. The EPSS score is likely low due to the requirement for elevated privileges (change_authentication). No public proof-of-concept exploits are currently known. The vulnerability was publicly disclosed on December 3, 2025, coinciding with the CVE publication.
Organizations utilizing Splunk Enterprise or Cloud Platform with distributed search architectures are at risk. Specifically, environments where users have been granted the change_authentication role without proper justification or oversight are particularly vulnerable. Shared hosting environments or those with legacy configurations where role assignments are not regularly reviewed should prioritize remediation.
• linux / server:
journalctl -u splunkd | grep -i "search peer" && journalctl -u splunkd | grep -i "internal ip"• generic web:
curl -I <splunk_search_head_url>/services/server/peer_status | grep -i "internal ip"disclosure
एक्सप्लॉइट स्थिति
EPSS
0.04% (13% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2025-20388 is to upgrade Splunk Enterprise or Cloud Platform to a version containing the fix. Upgrade to version 10.1.2507.4 for Splunk Enterprise or the corresponding fixed versions for Cloud Platform (10.1.2507.4, 10.0.2503.7, and 9.3.2411.116). If immediate upgrade is not feasible, restrict the change_authentication capability to only trusted users and carefully review any new search peer configurations. Consider implementing network segmentation to limit the potential impact of internal network scanning. After upgrade, confirm the fix by attempting to add a new search peer and verifying that internal IP/port enumeration is prevented.
Splunk Enterprise को संस्करण 10.0.1, 9.4.6, 9.3.8, या 9.2.10 या उच्चतर में अपडेट करें। Splunk Cloud Platform के लिए, संस्करण 10.1.2507.4, 10.0.2503.7, या 9.3.2411.116 या उच्चतर में अपडेट करें। यह अंध SSRF भेद्यता को कम करेगा।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-20388 is a Server-Side Request Forgery vulnerability in Splunk Enterprise allowing attackers with change_authentication to enumerate internal IPs/ports. It has a LOW severity rating.
You are affected if you are running Splunk Enterprise versions ≤10.1.2507.4 or Splunk Cloud Platform versions below 10.1.2507.4, 10.0.2503.7, and 9.3.2411.116, and have users with the change_authentication role.
Upgrade Splunk Enterprise to version 10.1.2507.4 or the corresponding fixed versions for Cloud Platform. Restrict the change_authentication role to trusted users as an interim measure.
There are currently no reports of active exploitation of CVE-2025-20388, but the vulnerability is publicly known.
Refer to the official Splunk security advisory for CVE-2025-20388 on the Splunk website (link to be added when available).
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।