CVE-2025-20324

Published: Jul 7, 2025Modified: Jul 21, 2025

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.5

Source: psirt@cisco.com (Secondary)

Description

In Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.7, and 9.1.10 and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, a low-privileged user that does not hold the "admin" or "power" Splunk roles could create or overwrite [system source type](https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.2/configure-source-types/create-source-types) configurations by sending a specially-crafted payload to the `/servicesNS/nobody/search/admin/sourcetypes/` REST endpoint on the Splunk management port.

Affected (7)

Products: Splunk: Splunk, Splunk Cloud Platform

Splunk

2 products

Splunk

Splunk Cloud Platform

Configuration A

7 vulnerable

Vulnerable Software	Affected Versions
Splunk Splunk	From 9.1.0 to 9.1.10
Splunk Splunk	From 9.2.0 to 9.2.7
Splunk Splunk	From 9.3.0 to 9.3.5
Splunk Splunk	From 9.4.0 to 9.4.2
Splunk Splunk Cloud Platform	From 9.2.2406 to 9.2.2406.119
Splunk Splunk Cloud Platform	From 9.3.2408 to 9.3.2408.113
Splunk Splunk Cloud Platform	From 9.3.2411 to 9.3.2411.104

Related CWEs

CWE-284

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (1)

https://advisory.splunk.com/advisories/SVD-2025-0707

Source: psirt@cisco.com

Vendor Advisory

Timeline

No history available yet.