CVE-2025-20325
published 2025-07-07CVE-2025-20325: In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.103, 9.3.2408.113, and 9.2.2406.119, the…
PriorityP431medium5.3CVSS 3.1
AVNACHPRLUINSUCHINAN
EPSS
0.31%
22.7th percentile
In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.103, 9.3.2408.113, and 9.2.2406.119, the software potentially exposes the search head cluster [splunk.secret](https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/9.4/install-splunk-enterprise-securely/deploy-secure-passwords-across-multiple-servers) key. This exposure could happen if you have a Search Head cluster and you configure the Splunk Enterprise `SHCConfig` log channel at the DEBUG logging level in the clustered deployment. The vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities), [Deploy a search head cluster](https://help.splunk.com/en/splunk-enterprise/administer/distributed-search/9.4/deploy-search-head-clustering/deploy-a-search-head-cluster), [Deploy secure passwords across multiple servers](https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/9.4/install-splunk-enterprise-securely/deploy-secure-passwords-across-multiple-servers) and [Set a security key for the search head cluster](https://help.splunk.com/splunk-enterprise/administer/distributed-search/9.4/configure-search-head-clustering/set-a-security-key-for-the-search-head-cluster#id_2c54937a_736c_47b5_9485_67e9e390acfa__Set_a_security_key_for_the_search_head_cluster) for more information.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| splunk | splunk | >= 9.1.0 < 9.1.10 | 9.1.10 |
| splunk | splunk | >= 9.2.0 < 9.2.7 | 9.2.7 |
| splunk | splunk | >= 9.3.0 < 9.3.5 | 9.3.5 |
| splunk | splunk | >= 9.4.0 < 9.4.3 | 9.4.3 |
| splunk | splunk_cloud_platform | >= 9.2.2406 < 9.2.2406.119 | 9.2.2406.119 |
| splunk | splunk_cloud_platform | >= 9.3.2408 < 9.3.2408.113 | 9.3.2408.113 |
| splunk | splunk_cloud_platform | >= 9.3.2411 < 9.3.2411.103 | 9.3.2411.103 |
| splunk | splunk_enterprise | >= 9.1 < 9.1.10 | 9.1.10 |
| splunk | splunk_enterprise | >= 9.2 < 9.2.7 | 9.2.7 |
| splunk | splunk_enterprise | >= 9.3 < 9.3.5 | 9.3.5 |
| splunk | splunk_enterprise | >= 9.4 < 9.4.3 | 9.4.3 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-07-07
Published