CVE-2025-20369: 
Splunk Enterprise vulnerability analysis and mitigation

A vulnerability identified as CVE-2025-20369 affects Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123. The vulnerability allows low-privileged users without 'admin' or 'power' roles to perform XML External Entity (XXE) injection through the dashboard tab label field (Splunk Advisory, NVD).

The vulnerability is classified with a CVSS v3.1 base score of 4.6 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L. The flaw is categorized under CWE-776 (Improper Restriction of Recursive Entity References in DTDs) and CWE-611 (Improper Restriction of XML External Entity Reference). The vulnerability specifically targets the Splunk Web component and requires user interaction for successful exploitation (NVD, Splunk Advisory).

The primary impact of this vulnerability is its potential to cause denial-of-service (DoS) attacks through XXE injection. The vulnerability affects the core functionality of the Splunk Web interface and could impact system availability (GBHackers, Splunk Advisory).

Splunk has released patches to address this vulnerability. Users are advised to upgrade Splunk Enterprise to versions 9.4.4, 9.3.6, 9.2.8 or higher. For Splunk Cloud Platform, Splunk is actively monitoring and patching instances. As a workaround, administrators can disable Splunk Web if it's not required for operations (Splunk Advisory, Security Online).