Splunk has released a series of security updates to address multiple vulnerabilities across its products, including two high-severity flaws affecting Splunk Enterprise and the Splunk Secure Gateway App. These vulnerabilities, if exploited, could allow attackers to execute arbitrary code or access sensitive information. Organizations using Splunk should take immediate action to apply the necessary patches.
Details of the High-Severity Vulnerabilities
Remote Code Execution Vulnerability (CVE-2025-20229)
One of the most critical flaws addressed in this update is CVE-2025-20229, a remote code execution (RCE) vulnerability that could be exploited by low-privileged users. The flaw allows attackers to upload malicious files to the $SPLUNK_HOME/var/run/splunk/apptemp directory, potentially leading to unauthorized execution of code. This vulnerability has been assigned a CVSS score of 8.0, highlighting the urgency for patching.
To mitigate this issue, Splunk has released updates for the following versions:
- Splunk Enterprise: 9.4.0, 9.3.3, 9.2.5, and 9.1.8
- Splunk Cloud Platform: 9.3.2408.104, 9.2.2406.108, 9.2.2403.114, and 9.1.2312.208
Information Disclosure Vulnerability
Another significant flaw affects both Splunk Enterprise and the Splunk Secure Gateway App. This vulnerability exposes user session and authorization tokens in clear text within the splunk_secure_gateway.log file when calling the /services/ssg/secrets REST endpoint. Attackers could exploit this by tricking victims into making requests within their browser, potentially leading to unauthorized access to sensitive data.
Splunk has issued patches for this vulnerability in:
- Splunk Enterprise: 9.4.1, 9.3.3, 9.2.5, and 9.1.8
- Splunk Secure Gateway: 3.8.38 and 3.7.23
For organizations that do not use Splunk Secure Gateway, Splunk recommends disabling or removing the app as a precautionary measure.
Additional Vulnerabilities Addressed
Beyond the high-severity issues, Splunk has also patched several medium- and low-severity vulnerabilities affecting various products, including:
- Maintenance mode modifications and safeguard bypass issues in Splunk Enterprise
- Information disclosure risks and user data manipulation vulnerabilities
- Third-party package vulnerabilities in Splunk Enterprise, Splunk App for Data Science, DB Connect, and the Splunk Add-on for Microsoft Cloud Services
What SOC Teams Need to Know
Security Operations Center (SOC) teams should act swiftly to patch all affected Splunk deployments to mitigate potential exploitation risks. Key recommendations include:
- Apply all relevant security patches immediately. Delaying updates increases the risk of exploitation.
- Monitor access logs for unusual activity related to file uploads or API calls to
/services/ssg/secrets. - Review privilege settings to limit access to sensitive files and directories.
- Disable the Splunk Secure Gateway App if it is not required to minimize attack surface.
- Stay informed about emerging threats, as attackers may attempt to exploit unpatched systems.
Conclusion
While Splunk has not reported any active exploitation of these vulnerabilities, organizations should not delay in applying these critical patches. Security teams must remain vigilant and proactive in monitoring for potential threats. Keeping software up to date remains one of the most effective defenses against cyberattacks.
For a full list of security updates and technical details, refer to Splunk’s official advisory.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
https://www.netizen.net/contact
