Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2025-20298
CVE-2025-20298:
Splunk Forwarder vulnerability analysis and mitigation
Overview
A high-severity vulnerability (CVE-2025-20298) was discovered in Splunk Universal Forwarder for Windows, affecting versions below 9.4.2, 9.3.4, 9.2.6, and 9.1.9. The vulnerability, disclosed on June 2, 2025, involves incorrect permissions assignment in the Universal Forwarder Installation directory (by default, C:\Program Files\SplunkUniversalForwarder). This security flaw is classified under CWE-732: Incorrect Permission Assignment for Critical Resource and has received a CVSSv3.1 score of 8.0 (High) (Splunk Advisory, NVD).
Technical details
The vulnerability stems from improper permission assignments during installation or upgrade processes. When installing or upgrading the Universal Forwarder, the system sets overly permissive permissions on the installation directory, allowing users outside the Administrators group to access and potentially modify all directory contents. The issue is tracked with CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H, indicating high potential impact on confidentiality, integrity, and availability (GBHackers, Splunk Advisory).
Impact
The vulnerability allows non-administrator users on the affected machine to access, modify, or replace files within the Universal Forwarder directory. This access could lead to unauthorized modification of executable files or configurations, potential replacement of service binaries resulting in arbitrary code execution with elevated privileges, and exposure or tampering of sensitive log data (GBHackers).
Mitigation and workarounds
Splunk recommends upgrading Universal Forwarder for Windows to versions 9.4.2, 9.3.4, 9.2.6, 9.1.9, or higher. For organizations unable to upgrade immediately, a mitigation is available by running the command 'icacls.exe "" /remove:g BU /C' as a Windows system administrator. This command removes group permissions for BUILTIN\Users (BU), restricting access to authorized administrators only. This mitigation should be applied after new installations, upgrades, or reinstallations of affected versions (Splunk Advisory, GBHackers).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management