CVE-2025-20228: 
Splunk Enterprise vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Splunk Enterprise and Splunk Cloud Platform, identified as CVE-2025-20228. The vulnerability was disclosed on March 26, 2025, affecting Splunk Enterprise versions below 9.3.3, 9.2.5, and 9.1.8, and Splunk Cloud Platform versions below 9.2.2403.108 and 9.1.2312.204. This security flaw allows low-privileged users without admin or power roles to manipulate the maintenance mode state of the App Key Value Store (KVStore) (Splunk Advisory).

The vulnerability has been assigned a CVSSv3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. It is categorized under CWE-352 (Cross-Site Request Forgery). The vulnerability specifically targets the maintenance mode state change functionality of the App Key Value Store (KVStore) through a CSRF attack vector (Splunk Advisory).

The vulnerability allows unauthorized manipulation of the KVStore maintenance mode state, which could potentially disrupt system operations and affect service availability. The CVSS scoring indicates that while there is no direct impact on confidentiality or integrity, there is a high impact on availability of the system (Splunk Advisory).

The primary mitigation is to upgrade Splunk Enterprise to versions 9.4.0, 9.3.3, 9.2.5, 9.1.8, or higher. For Splunk Cloud Platform, Splunk is actively monitoring and patching affected instances. As a workaround, organizations can disable Splunk Web, though this may impact functionality. This can be done through the web.conf configuration specification file (Splunk Advisory).