{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2025-013.pdf"
    },
    "title": "Remote Code Execution Vulnerability in Splunk",
    "serial_number": "2025-013",
    "publish_date": "27-03-2025 19:20:37",
    "description": "On March 26, 2025, Splunk released a security advisory addressing a vulnerability in Splunk Enterprise and Splunk Cloud Platform that allows low-privileged users to perform Remote Code Execution (RCE).<br>\nIt is recommended updating as soon as possible.<br>\n",
    "url_title": "2025-013",
    "content_markdown": "---\ntitle: 'Remote Code Execution Vulnerability in\u00a0Splunk'\nnumber: '2025-013'\nversion: '1.0'\noriginal_date: '2025-03-26'\ndate: '2025-03-27'\n---\n\n_History:_\n\n* _27/03/2025 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn March 26, 2025, Splunk released a security advisory addressing a vulnerability in Splunk Enterprise and Splunk Cloud Platform that allows low-privileged users to perform Remote Code Execution (RCE) [1,2].\n\nIt is recommended updating as soon as possible.\n\n# Technical Details\n\nThe vulnerability `CVE-2025-20229`, with a CVSS Score of 8.0, stems from missing authorisation checks in the file upload process to the `$SPLUNK_HOME/var/run/splunk/apptemp` directory. It allows low-privileged users to execute arbitrary code remotely by uploading malicious files to this specific directory on the server.\n\n# Products Affected\n\nThe following products and versions are affected:\n\n- Splunk Enterprise from 9.1.0 to 9.1.7, from 9.2.0 to 9.2.4, and from 9.3.0 to 9.3.2\n- Splunk Cloud Platform\tfrom 9.1.2312 to 9.1.2312.207, from 9.2.2403 to 9.2.2403.113, from 9.2.2406 to 9.2.2406.107 and from 9.3.2408 to 9.3.2408.103\n\n# Recommendations\n\nCERT-EU recommends upgrading affected server to the latest version as soon as possible.\n\n# References\n\n[1] <https://advisory.splunk.com/advisories/SVD-2025-0301>\n\n[2] <https://www.cve.org/CVERecord?id=CVE-2025-20229>",
    "content_html": "<p><em>History:</em></p><ul><li><em>27/03/2025 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On March 26, 2025, Splunk released a security advisory addressing a vulnerability in Splunk Enterprise and Splunk Cloud Platform that allows low-privileged users to perform Remote Code Execution (RCE) [1,2].</p><p>It is recommended updating as soon as possible.</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability <code>CVE-2025-20229</code>, with a CVSS Score of 8.0, stems from missing authorisation checks in the file upload process to the <code>$SPLUNK_HOME/var/run/splunk/apptemp</code> directory. It allows low-privileged users to execute arbitrary code remotely by uploading malicious files to this specific directory on the server.</p><h2 id=\"products-affected\">Products Affected</h2><p>The following products and versions are affected:</p><ul><li>Splunk Enterprise from 9.1.0 to 9.1.7, from 9.2.0 to 9.2.4, and from 9.3.0 to 9.3.2</li><li>Splunk Cloud Platform from 9.1.2312 to 9.1.2312.207, from 9.2.2403 to 9.2.2403.113, from 9.2.2406 to 9.2.2406.107 and from 9.3.2408 to 9.3.2408.103</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU recommends upgrading affected server to the latest version as soon as possible.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://advisory.splunk.com/advisories/SVD-2025-0301\">https://advisory.splunk.com/advisories/SVD-2025-0301</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.cve.org/CVERecord?id=CVE-2025-20229\">https://www.cve.org/CVERecord?id=CVE-2025-20229</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}