Cyber Resilience

CVE-2025-20231

High

Published: 26 March 2025

Published
26 March 2025
Modified
21 July 2025
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0014 33.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-20231 is a high-severity Insertion of Sensitive Information into Log File (CWE-532) vulnerability in Splunk Splunk. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 33.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-20231 is a privilege escalation vulnerability affecting Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8, as well as versions below 3.8.38 and 3.7.23 of the Splunk Secure Gateway app on Splunk Cloud Platform. It enables a low-privileged user without "admin" or "power" Splunk roles to execute a search using the permissions of a higher-privileged user, potentially resulting in the disclosure of sensitive information. The issue is classified under CWE-532 with a CVSS v3.1 base score of 7.1 (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts but requiring high attack complexity and user interaction.

Exploitation requires an authenticated low-privileged attacker to phish a higher-privileged victim, tricking them into initiating a specific request within their browser. This social engineering step is necessary, as the low-privileged user cannot trigger the vulnerability independently or at will. Successful exploitation allows the attacker to leverage the victim's elevated permissions to run unauthorized searches and access sensitive data.

The Splunk advisory at https://advisory.splunk.com/advisories/SVD-2025-0302 details mitigation, recommending upgrades to Splunk Enterprise versions 9.4.1, 9.3.3, 9.2.5, 9.1.8 or higher, and Splunk Secure Gateway app versions 3.8.38 or 3.7.23 or higher on Splunk Cloud Platform.

EU & UK References

Vulnerability details

In Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8, and versions below 3.8.38 and 3.7.23 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could…

more

run a search using the permissions of a higher-privileged user that could lead to disclosure of sensitive information.<br><br>The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated low-privileged user should not be able to exploit the vulnerability at will.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The CVE is explicitly described as a privilege escalation vulnerability allowing a low-privileged user to execute searches with higher-privileged permissions, directly mapping to T1068.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-20239Same product: Splunk Splunk
CVE-2025-20229Same product: Splunk Splunk
CVE-2026-20204Same product: Splunk Splunk
CVE-2026-20163Same product: Splunk Splunk
CVE-2025-11547Shared CWE-532
CVE-2026-28923Shared CWE-532
CVE-2025-48635Shared CWE-532
CVE-2026-32982Shared CWE-532
CVE-2026-44052Shared CWE-532
CVE-2026-28987Shared CWE-532

Affected Assets

splunk
splunk
9.4.0 · 9.1.0 — 9.1.8 · 9.2.0 — 9.2.5 · 9.3.0 — 9.3.3
splunk
splunk secure gateway
3.7.0 — 3.7.23 · 3.8.0 — 3.8.38

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely identification, reporting, and correction of the specific flaw in Splunk Enterprise and Secure Gateway app enabling privilege escalation.

prevent

Enforces approved authorizations for search operations, preventing low-privileged users from leveraging phished requests to execute under higher privileges.

prevent

Limits privileges to only necessary functions, reducing the scope of sensitive information disclosable via escalated search permissions.

References