CVE-2025-20324: 
Splunk Enterprise vulnerability analysis and mitigation

CVE-2025-20324 is a vulnerability discovered in Splunk Enterprise and Splunk Cloud Platform, disclosed on July 7, 2025. The vulnerability affects Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.7, and 9.1.10 and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119. This security issue allows low-privileged users without admin or power roles to manipulate system source type configurations (Splunk Advisory).

The vulnerability stems from improper access control (CWE-284) in the REST API component. Specifically, it allows unauthorized access to the /servicesNS/nobody/search/admin/sourcetypes/ REST endpoint on the Splunk management port. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N, indicating network accessibility, low attack complexity, and low privileges required (NVD).

The exploitation of this vulnerability allows attackers to create or overwrite system source type configurations, potentially affecting the data processing and analysis capabilities of the Splunk platform. This could lead to unauthorized modifications of how data is interpreted and processed within the system (Splunk Advisory).

The primary mitigation is to upgrade Splunk Enterprise to versions 9.4.2, 9.3.5, 9.2.7, 9.1.10, or higher. For Splunk Cloud Platform, Splunk is actively monitoring and patching affected instances. No alternative workarounds are available for this vulnerability (Splunk Advisory).