Analysis Summary

CVE-2025-20325 CVSS:3.1

In Splunk Enterprise, and Splunk Cloud Platform the software potentially exposes the search head cluster key. This exposure could happen if you have a Search Head cluster and you configure the Splunk Enterprise `SHCConfig` log channel at the DEBUG logging level in the clustered deployment. The vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives.

CVE-2025-20324 CVSS:5.4

In Splunk Enterprise and Splunk Cloud Platform, a low-privileged user that does not hold the "admin" or "power" Splunk roles could create or overwrite system source type configurations by sending a specially-crafted payload to the REST endpoint on the Splunk management port.

CVE-2025-20323 CVSS:4.3

In Splunk Enterprise, a low-privileged user that does not hold the "admin" or "power" Splunk roles could turn off the scheduled search `Bucket Copy Trigger` within the Splunk Archiver application. This is because of missing access controls in the saved searches for this app.

CVE-2025-20322 CVSS:4.3

In Splunk Enterprise, and Splunk Cloud Platform, an unauthenticated attacker could send a specially-crafted SPL search command that could trigger a rolling restart in the Search Head Cluster through a Cross-Site Request Forgery (CSRF), potentially leading to a denial of service. The vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will.

Impact

• Denial of Service
• Gain Access
• Privilege Escalation

Indicators of Compromise

CVE

• CVE-2025-20325

• CVE-2025-20324

• CVE-2025-20323

• CVE-2025-20322

Affected Vendors

Remediation

Refer to Cisco Security Advisory for patch, upgrade, or suggested workaround information.

CVE-2025-20325

CVE-2025-20324

CVE-2025-20323

CVE-2025-20322