CVE-2025-20231: 
Splunk Enterprise vulnerability analysis and mitigation

A sensitive information disclosure vulnerability (CVE-2025-20231) was discovered in Splunk Enterprise and Splunk Secure Gateway app. The vulnerability affects Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8, and versions below 3.8.38 and 3.7.23 of the Splunk Secure Gateway app on Splunk Cloud Platform. This vulnerability was disclosed on March 26, 2025, and allows low-privileged users without admin or power roles to potentially access sensitive information through elevated search permissions (Splunk Advisory).

The vulnerability stems from the Splunk Secure Gateway exposing user session and authorization tokens in clear text within the splunksecuregateway.log file when calling the /services/ssg/secrets REST endpoint. The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H. It is categorized under CWE-532 (Insertion of Sensitive Information into Log File) (Splunk Advisory).

When successfully exploited, the vulnerability allows a low-privileged user to run searches using the permissions of a higher-privileged user, potentially leading to unauthorized access to sensitive information. The exposure of session and authorization tokens in clear text could enable attackers to impersonate users and retrieve sensitive information through elevated search permissions (Security Online).

Splunk has released patches to address this vulnerability. Organizations should upgrade Splunk Enterprise to versions 9.4.1, 9.3.3, 9.2.5, and 9.1.8 or higher. For Splunk Cloud Platform, Splunk is actively monitoring and patching affected instances. As a temporary workaround, organizations can disable the Splunk Secure Gateway App if they don't use Splunk Mobile, Spacebridge, or Mission Control features (Splunk Advisory).