CVE-2025-20231
Published: 26 March 2025
Summary
CVE-2025-20231 is a high-severity Insertion of Sensitive Information into Log File (CWE-532) vulnerability in Splunk Splunk. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 33.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely identification, reporting, and correction of the specific flaw in Splunk Enterprise and Secure Gateway app enabling privilege escalation.
Enforces approved authorizations for search operations, preventing low-privileged users from leveraging phished requests to execute under higher privileges.
Limits privileges to only necessary functions, reducing the scope of sensitive information disclosable via escalated search permissions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE is explicitly described as a privilege escalation vulnerability allowing a low-privileged user to execute searches with higher-privileged permissions, directly mapping to T1068.
NVD Description
In Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8, and versions below 3.8.38 and 3.7.23 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could…
more
run a search using the permissions of a higher-privileged user that could lead to disclosure of sensitive information.<br><br>The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated low-privileged user should not be able to exploit the vulnerability at will.
Deeper analysisAI
CVE-2025-20231 is a privilege escalation vulnerability affecting Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8, as well as versions below 3.8.38 and 3.7.23 of the Splunk Secure Gateway app on Splunk Cloud Platform. It enables a low-privileged user without "admin" or "power" Splunk roles to execute a search using the permissions of a higher-privileged user, potentially resulting in the disclosure of sensitive information. The issue is classified under CWE-532 with a CVSS v3.1 base score of 7.1 (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts but requiring high attack complexity and user interaction.
Exploitation requires an authenticated low-privileged attacker to phish a higher-privileged victim, tricking them into initiating a specific request within their browser. This social engineering step is necessary, as the low-privileged user cannot trigger the vulnerability independently or at will. Successful exploitation allows the attacker to leverage the victim's elevated permissions to run unauthorized searches and access sensitive data.
The Splunk advisory at https://advisory.splunk.com/advisories/SVD-2025-0302 details mitigation, recommending upgrades to Splunk Enterprise versions 9.4.1, 9.3.3, 9.2.5, 9.1.8 or higher, and Splunk Secure Gateway app versions 3.8.38 or 3.7.23 or higher on Splunk Cloud Platform.
Details
- CWE(s)