CVE-2025-20320: 
Splunk Enterprise vulnerability analysis and mitigation

A path traversal vulnerability (CVE-2025-20320) was discovered in Splunk Enterprise and Splunk Cloud Platform, affecting multiple versions of the software. The vulnerability was disclosed on July 7, 2025, impacting Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, as well as Splunk Cloud Platform versions below 9.3.2411.107, 9.3.2408.117, and 9.2.2406.121. The vulnerability allows low-privileged users without admin or power roles to potentially cause a denial of service through the User Interface - Views configuration page (Splunk Advisory).

The vulnerability is classified as a path traversal vulnerability (CWE-35) that enables the deletion of arbitrary files within a Splunk directory. It has been assigned a CVSSv3.1 base score of 6.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:H. This indicates that the vulnerability requires network access, low attack complexity, low privileges, and user interaction for exploitation. The impact primarily affects availability (High) with some impact on integrity (Low) but no impact on confidentiality (NVD).

The successful exploitation of this vulnerability can lead to a denial of service (DoS) condition through the deletion of arbitrary files within the Splunk directory. The attack requires user interaction and can only be executed when a low-privileged attacker successfully tricks an administrator-level user into initiating a specific request (Splunk Advisory).

Splunk has released patches to address this vulnerability. Users are advised to upgrade Splunk Enterprise to versions 9.4.3, 9.3.5, 9.2.7, 9.1.10, or higher. For Splunk Cloud Platform, Splunk is actively monitoring and patching affected instances. As a workaround, organizations can disable Splunk Web, though this may impact functionality. This can be configured through the web.conf configuration specification file (Splunk Advisory).