CVE-2025-20229
Published: 26 March 2025
Summary
CVE-2025-20229 is a high-severity Improper Access Control (CWE-284) vulnerability in Splunk Splunk. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to system resources like the apptemp directory, directly addressing the missing authorization checks that allowed low-privileged users to upload malicious files.
Requires the system to explicitly authorize or deny access to specific resources such as $SPLUNK_HOME/var/run/splunk/apptemp, preventing unauthorized file uploads by low-privileged users.
Implements least privilege to ensure low-privileged users lack write access to sensitive directories like apptemp, mitigating exploitation even if authorization checks are incomplete.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
RCE vulnerability in public-facing Splunk app due to missing authorization checks, allowing low-priv users to upload malicious files for arbitrary code execution, directly enabling T1190 (Exploit Public-Facing Application) and T1068 (Exploitation for Privilege Escalation).
NVD Description
In Splunk Enterprise versions below 9.3.3, 9.2.5, and 9.1.8, and Splunk Cloud Platform versions below 9.3.2408.104, 9.2.2406.108, 9.2.2403.114, and 9.1.2312.208, a low-privileged user that does not hold the "admin" or "power" Splunk roles could perform a Remote Code Execution (RCE)…
more
through a file upload to the "$SPLUNK_HOME/var/run/splunk/apptemp" directory due to missing authorization checks.
Deeper analysisAI
CVE-2025-20229 is a remote code execution (RCE) vulnerability affecting Splunk Enterprise versions below 9.3.3, 9.2.5, and 9.1.8, as well as Splunk Cloud Platform versions below 9.3.2408.104, 9.2.2406.108, 9.2.2403.114, and 9.1.2312.208. The flaw arises from missing authorization checks, enabling a low-privileged user lacking "admin" or "power" Splunk roles to upload malicious files to the $SPLUNK_HOME/var/run/splunk/apptemp directory.
A low-privileged user with network access can exploit this vulnerability remotely by uploading a crafted file to the specified directory, though it requires user interaction. Successful exploitation allows arbitrary code execution on the Splunk server, resulting in high impacts to confidentiality, integrity, and availability, as reflected in its CVSS v3.1 base score of 8.0 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H). The issue is linked to CWE-284 (Improper Access Control).
Splunk's advisory SVD-2025-0301 details the vulnerability and recommends mitigation by upgrading to the patched versions: Splunk Enterprise 9.3.3, 9.2.5, 9.1.8 or later, and the corresponding Splunk Cloud Platform releases.
Details
- CWE(s)