Platform
splunk
Component
sa-ldapsearch
Opgelost in
3.1.1
CVE-2025-0367 describes a Denial of Service (DoS) vulnerability discovered in the Splunk Supporting Add-on for Active Directory (SA-ldapsearch). This vulnerability stems from a flawed regular expression pattern that can be exploited to trigger a Regular Expression Denial of Service (ReDoS) attack. The vulnerability impacts versions 3.1.0 and earlier of the add-on, and a fix is available in version 3.1.1.
An attacker exploiting CVE-2025-0367 can induce a ReDoS attack by crafting malicious LDAP queries. This attack can exhaust system resources, leading to a denial of service, effectively preventing the Splunk add-on from properly monitoring Active Directory. The impact extends beyond simple service disruption; prolonged DoS conditions can hinder security incident detection and response, potentially masking other malicious activity. Successful exploitation could also impact the stability of the Splunk platform itself, depending on the add-on's integration and resource usage.
CVE-2025-0367 was publicly disclosed on 2025-01-30. There is no indication of active exploitation campaigns targeting this vulnerability at this time. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are not widely available, but the ReDoS nature of the vulnerability makes it potentially attractive to attackers with regular expression expertise.
Organizations heavily reliant on Splunk for Active Directory monitoring are particularly at risk. Environments with complex Active Directory structures and frequent LDAP queries are more susceptible to DoS attacks. Security teams using the Splunk Supporting Add-on for Active Directory to automate security tasks or incident response are also at heightened risk, as a DoS condition could disrupt these critical functions.
• linux / server: Monitor system resource usage (CPU, memory) for unusual spikes, especially during LDAP query processing. Use top, htop, or similar tools to identify processes consuming excessive resources.
top• linux / server: Examine Splunk logs for errors related to LDAP queries or regular expression processing. Look for patterns indicative of excessive backtracking or resource exhaustion.
journalctl -u splunk | grep -i "regex" -i "ldap"• generic web: If the add-on exposes any web interfaces, monitor for unusual request patterns or error rates that might correlate with LDAP query processing.
disclosure
Exploit Status
EPSS
0.19% (41% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-0367 is to upgrade the Splunk Supporting Add-on for Active Directory to version 3.1.1 or later, which contains the fix for the vulnerable regular expression. If immediate upgrading is not feasible, consider implementing input validation on LDAP queries to filter out potentially malicious patterns. While not a complete solution, this can reduce the attack surface. Monitor system resource usage (CPU, memory) for unusual spikes, which could indicate a ReDoS attack in progress. After upgrading, confirm functionality by verifying that Active Directory monitoring is operating as expected and that LDAP queries are processed without excessive latency.
Actualice el Splunk Supporting Add-on for Active Directory a la versión 3.1.1 o superior. Esta versión corrige la vulnerabilidad ReDoS en la expresión regular. Puede descargar la versión más reciente desde el sitio web de Splunk o a través de la interfaz de administración de Splunk.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-0367 is a medium-severity Denial of Service vulnerability in Splunk Supporting Add-on for Active Directory versions 3.1.0–3.1.1, caused by a vulnerable regular expression pattern.
If you are using Splunk Supporting Add-on for Active Directory version 3.1.0 or earlier, you are potentially affected by this vulnerability.
Upgrade to version 3.1.1 or later of the Splunk Supporting Add-on for Active Directory to resolve the vulnerability. Consider input validation as a temporary workaround.
There is currently no evidence of active exploitation campaigns targeting CVE-2025-0367, but the ReDoS nature makes it potentially attractive to attackers.
Refer to the official Splunk security advisory for detailed information and updates regarding CVE-2025-0367: [https://splunk.com/security/advisories](https://splunk.com/security/advisories)
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.