CVE-2025-20321: 
Splunk Enterprise vulnerability analysis and mitigation

In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.114, and 9.2.2406.119, a Cross-Site Request Forgery (CSRF) vulnerability was discovered. The vulnerability, identified as CVE-2025-20321, was disclosed on July 7, 2025, and affects the Splunk Web component of these systems (NVD, Splunk Advisory).

The vulnerability allows an unauthenticated attacker to send a specially-crafted SPL search that could change the membership state in a Splunk Search Head Cluster (SHC). The vulnerability has been assigned a CVSSv3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. It is classified as CWE-352 (Cross-Site Request Forgery) (Splunk Advisory).

A successful exploitation could lead to the removal of the captain or a member of the Splunk Search Head Cluster (SHC). This could potentially disrupt the cluster's operations and cause service availability issues. The severity is rated as Medium, but if Search Head Clustering is not enabled, the impact would be considered Informational (Splunk Advisory).

The primary mitigation is to upgrade Splunk Enterprise to versions 9.4.3, 9.3.5, 9.2.7, 9.1.10, or higher. For Splunk Cloud Platform, Splunk is actively monitoring and patching instances. As a workaround, organizations can turn off Splunk Web, though this may impact functionality. Detailed information about disabling Splunk Web can be found in the web.conf configuration specification file (Splunk Advisory).