Plataforma
splunk
Componente
splunk-enterprise
Corrigido em
10.0.1
9.4.4
9.3.6
9.2.8
9.3.2411.109
9.3.2408.119
9.2.2406.122
CVE-2025-20371 describes a server-side request forgery (SSRF) vulnerability affecting Splunk Enterprise and Splunk Cloud Platform. This vulnerability allows an unauthenticated attacker to potentially trigger REST API calls on behalf of a high-privileged, authenticated user, leading to unauthorized access and potential data exfiltration. Affected versions include Splunk Enterprise versions prior to 10.0.1, 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions prior to 9.3.2411.109, 9.3.2408.119, and 9.2.2406.122. A fix is available in Splunk Enterprise 10.0.1.
The SSRF vulnerability in Splunk Enterprise allows an attacker to craft malicious requests that are processed by the Splunk server. Because the attacker can control the destination of these requests, they can potentially access internal resources that are not directly exposed to the internet. The ability to execute REST API calls on behalf of a high-privileged user significantly amplifies the impact. An attacker could leverage this to modify configurations, access sensitive data, or even escalate privileges within the Splunk environment. This could lead to data breaches, system compromise, and disruption of Splunk services. The potential for lateral movement within the network is also a concern, as the attacker could use the SSRF vulnerability to probe and access other internal systems.
CVE-2025-20371 was publicly disclosed on October 1, 2025. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the SSRF nature of the vulnerability makes it likely that exploits will emerge. The CVSS score of 7.5 (HIGH) indicates a significant risk, and organizations should prioritize remediation.
Organizations heavily reliant on Splunk Enterprise for security monitoring and data analytics are particularly at risk. Environments with complex internal network topologies and a high degree of inter-system communication are also more vulnerable, as the SSRF vulnerability could be used to map and exploit internal resources. Shared hosting environments where multiple tenants share the same Splunk instance are also at increased risk.
• linux / server: Monitor Splunk logs for unusual outbound HTTP requests, particularly those targeting internal services. Use journalctl -u splunkd to filter for relevant log entries.
journalctl -u splunkd | grep -i 'request: .*://' | grep -v 'localhost'• generic web: Use curl to test for SSRF by attempting to access internal resources through the Splunk API.
curl -v 'http://<splunk_server>/services/server/rest/system/info' -H 'Host: <internal_server>' • splunk: Examine Splunk's internal audit logs for suspicious API calls originating from unexpected sources.
disclosure
Status do Exploit
EPSS
0.08% (percentil 23%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-20371 is to upgrade to a patched version of Splunk Enterprise or Splunk Cloud Platform. Specifically, upgrade to Splunk Enterprise 10.0.1 or later, 9.4.4 or later, 9.3.6 or later, 9.2.8 or later, or Splunk Cloud Platform 9.3.2411.109 or later, 9.3.2408.119 or later, and 9.2.2406.122 or later. If immediate upgrade is not possible, consider implementing temporary workarounds such as restricting outbound network access from the Splunk server using a Web Application Firewall (WAF) or proxy to block suspicious requests. Review and tighten Splunk's internal access controls to limit the privileges of high-privileged users. After upgrading, verify the fix by attempting to trigger an SSRF request and confirming that it is blocked.
Atualize Splunk Enterprise para a versão 10.0.1, 9.4.4, 9.3.6, 9.2.8 ou superior. Para Splunk Cloud Platform, atualize para a versão 9.3.2411.109, 9.3.2408.119, 9.2.2406.122 ou superior. Isso corrige a vulnerabilidade SSRF que permite a atacantes não autenticados realizar chamadas à API REST em nome de usuários com altos privilégios.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-20371 is a server-side request forgery vulnerability in Splunk Enterprise versions below 10.0.1, allowing unauthenticated attackers to potentially trigger REST API calls on behalf of high-privileged users.
You are affected if you are running Splunk Enterprise versions prior to 10.0.1, 9.4.4, 9.3.6, 9.2.8, or Splunk Cloud Platform versions prior to 9.3.2411.109, 9.3.2408.119, and 9.2.2406.122.
Upgrade to Splunk Enterprise 10.0.1 or later, 9.4.4 or later, 9.3.6 or later, 9.2.8 or later, or Splunk Cloud Platform 9.3.2411.109 or later, 9.3.2408.119 or later, and 9.2.2406.122 or later.
While no active exploitation has been confirmed, the SSRF nature of the vulnerability suggests it is likely to be targeted, and organizations should prioritize remediation.
Refer to the official Splunk security advisory for CVE-2025-20371 on the Splunk website (link to be added when available).
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.