Login Sign Up

CVE-2024-36985

8.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows low-privileged Splunk users without admin or power roles to execute arbitrary code through external lookups referencing the splunk_archiver application. It affects Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10. Attackers could gain full control of affected systems.

💻 Affected Systems

Products:
  • Splunk Enterprise
Versions: Versions below 9.2.2, 9.1.5, and 9.0.10
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Requires low-privileged user account; splunk_archiver application must be present.

📦 What is this software?

Splunk by Splunk

View all CVEs affecting Splunk →

Splunk by Splunk

View all CVEs affecting Splunk →

Splunk by Splunk

View all CVEs affecting Splunk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining root/admin privileges, data exfiltration, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Unauthorized code execution leading to data theft, privilege escalation, and potential ransomware deployment.

🟢

If Mitigated

Limited impact with proper access controls, but still poses significant risk due to RCE nature.

🌐 Internet-Facing: HIGH if Splunk web interface is exposed to internet, as authenticated low-privilege users can exploit.
🏢 Internal Only: HIGH as internal attackers or compromised accounts can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires authenticated low-privilege user; external lookup functionality is the attack vector.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.2.2, 9.1.5, or 9.0.10

Vendor Advisory: https://advisory.splunk.com/advisories/SVD-2024-0705

Restart Required: Yes

Instructions:

1. Backup Splunk configuration and data. 2. Download appropriate patched version from Splunk downloads. 3. Stop Splunk services. 4. Install update following Splunk upgrade documentation. 5. Restart Splunk services. 6. Verify version and functionality.

🔧 Temporary Workarounds

Restrict external lookups

all

Disable or restrict external lookup functionality for non-admin users

Edit transforms.conf to remove or secure external lookup configurations
Review and restrict lookup permissions in authorize.conf

Remove splunk_archiver application

all

Remove the vulnerable application if not required

$SPLUNK_HOME/bin/splunk remove app splunk_archiver

🧯 If You Can't Patch

  • Implement strict access controls and limit low-privilege user accounts
  • Monitor for suspicious external lookup activity and implement network segmentation

🔍 How to Verify

Check if Vulnerable:

Check Splunk version and compare with affected versions: 9.x < 9.2.2, 9.1.x < 9.1.5, 9.0.x < 9.0.10

Check Version:

$SPLUNK_HOME/bin/splunk version

Verify Fix Applied:

Verify Splunk version is 9.2.2, 9.1.5, or 9.0.10 or higher

📡 Detection & Monitoring

Log Indicators:

  • Unusual external lookup activity
  • splunk_archiver application access by non-admin users
  • Unexpected process execution from Splunk context

Network Indicators:

  • Outbound connections from Splunk servers to unexpected destinations
  • Unusual data exfiltration patterns

SIEM Query:

index=_internal source=*splunkd.log* ("external_lookup" OR "splunk_archiver") | stats count by user, source

📊 Metadata

CVE ID: CVE-2024-36985
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-687
Published: July 1, 2024
Last Updated: March 7, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36985, you might also want to check these:

CVE-2024-49603 4.3

Dell PowerScale OneFS versions 8.2.2.x through 9.9.0.x contain an incorrect argument specification v...

Same vulnerability type (CWE-687)