Cyber Resilience

CVE-2025-20229

High

Published: 26 March 2025

Published
26 March 2025
Modified
21 July 2025
KEV Added
Patch
CVSS Score v3.1 8.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.1125 93.7th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-20229 is a high-severity Improper Access Control (CWE-284) vulnerability in Splunk Splunk. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-20229 is an improper access control vulnerability, tracked as CWE-284, that affects Splunk Enterprise versions below 9.3.3, 9.2.5, and 9.1.8 as well as Splunk Cloud Platform versions below 9.3.2408.104, 9.2.2406.108, 9.2.2403.114, and 9.1.2312.208. The flaw stems from missing authorization checks on file uploads to the $SPLUNK_HOME/var/run/splunk/apptemp directory, enabling remote code execution with a CVSS 3.1 score of 8.0.

A low-privileged Splunk user lacking the admin or power roles can exploit the issue over the network by uploading a malicious file that results in arbitrary code execution, granting the attacker high impact on confidentiality, integrity, and availability without requiring user interaction beyond the initial upload.

The official Splunk advisory SVD-2025-0301 recommends upgrading affected Enterprise and Cloud Platform instances to the fixed versions listed in the bulletin to remediate the missing authorization checks. The associated EPSS score has remained essentially flat near 0.11 with no material rise after disclosure.

EU & UK References

Vulnerability details

In Splunk Enterprise versions below 9.3.3, 9.2.5, and 9.1.8, and Splunk Cloud Platform versions below 9.3.2408.104, 9.2.2406.108, 9.2.2403.114, and 9.1.2312.208, a low-privileged user that does not hold the "admin" or "power" Splunk roles could perform a Remote Code Execution (RCE)…

more

through a file upload to the "$SPLUNK_HOME/var/run/splunk/apptemp" directory due to missing authorization checks.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

RCE vulnerability in public-facing Splunk app due to missing authorization checks, allowing low-priv users to upload malicious files for arbitrary code execution, directly enabling T1190 (Exploit Public-Facing Application) and T1068 (Exploitation for Privilege Escalation).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-20204Same product: Splunk Splunk
CVE-2026-20163Same product: Splunk Splunk
CVE-2026-20239Same product: Splunk Splunk
CVE-2025-20231Same product: Splunk Splunk
CVE-2025-29315Shared CWE-284
CVE-2025-55261Shared CWE-284
CVE-2026-21636Shared CWE-284
CVE-2025-57130Shared CWE-284
CVE-2024-53348Shared CWE-284
CVE-2026-24300Shared CWE-284

Affected Assets

splunk
splunk
9.4.0 · 9.1.0 — 9.1.8 · 9.2.0 — 9.2.5 · 9.3.0 — 9.3.3
splunk
splunk cloud platform
9.1.2312 — 9.1.2312.208 · 9.2.2403 — 9.2.2403.114 · 9.2.2406.100 — 9.2.2406.108

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to system resources like the apptemp directory, directly addressing the missing authorization checks that allowed low-privileged users to upload malicious files.

prevent

Requires the system to explicitly authorize or deny access to specific resources such as $SPLUNK_HOME/var/run/splunk/apptemp, preventing unauthorized file uploads by low-privileged users.

prevent

Implements least privilege to ensure low-privileged users lack write access to sensitive directories like apptemp, mitigating exploitation even if authorization checks are incomplete.

References