CVE-2025-20321

Published: Jul 7, 2025Modified: Jul 21, 2025

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.114, and 9.2.2406.119, an unauthenticated attacker can send a specially-crafted SPL search that could change the membership state in a Splunk Search Head Cluster (SHC) through a Cross-Site Request Forgery (CSRF), potentially leading to the removal of the captain or a member of the SHC.<br><br>The vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will.

Affected (7)

Products: Splunk: Splunk, Splunk Cloud Platform

Splunk

2 products

Splunk

Splunk Cloud Platform

Configuration A

7 vulnerable

Vulnerable Software	Affected Versions
Splunk Splunk	From 9.1.0 to 9.1.10
Splunk Splunk	From 9.2.0 to 9.2.7
Splunk Splunk	From 9.3.0 to 9.3.5
Splunk Splunk	From 9.4.0 to 9.4.3
Splunk Splunk Cloud Platform	From 9.2.2406 to 9.2.2406.119
Splunk Splunk Cloud Platform	From 9.3.2408 to 9.3.2408.114
Splunk Splunk Cloud Platform	From 9.3.2411 to 9.3.2411.104

Related CWEs

CWE-352

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (1)

https://advisory.splunk.com/advisories/SVD-2025-0704

Source: psirt@cisco.com

Vendor Advisory

Timeline

No history available yet.