CVE-2025-20325: 
Splunk Enterprise vulnerability analysis and mitigation

In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.103, 9.3.2408.113, and 9.2.2406.119, a vulnerability was discovered that potentially exposes the search head cluster splunk.secret key. The vulnerability was disclosed on July 7, 2025, and was assigned CVE-2025-20325 (NVD, Splunk Advisory).

The vulnerability occurs when a Search Head cluster is configured with the Splunk Enterprise SHCConfig log channel set to DEBUG logging level in clustered deployments. The issue is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The vulnerability has been assigned a CVSS v3.1 base score of 3.1 (Low) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N (Splunk Advisory).

The vulnerability could lead to the exposure of the search head cluster splunk.secret key. However, exploitation would require either local access to the log files or administrative access to internal indexes, which by default is restricted to users with the admin role (NVD).

Several mitigation options are available: 1) Upgrade to Splunk Enterprise versions 9.4.3, 9.3.5, 9.2.7, and 9.1.10 or higher, 2) Configure the SHCConfig log channel to a logging level less verbose than DEBUG, 3) Update the splunk.secret key file, and 4) Review roles and capabilities on the instance and restrict internal index access to administrator-level roles (Splunk Advisory).