CVE-2025-0367
📋 TL;DR
A vulnerable regular expression pattern in Splunk's SA-ldapsearch add-on versions 3.1.0 and lower could allow attackers to cause denial of service through ReDoS attacks. This affects organizations using the vulnerable add-on for Active Directory integration with Splunk. The vulnerability allows attackers to degrade or disrupt Splunk functionality by sending specially crafted input.
💻 Affected Systems
- Splunk Supporting Add-on for Active Directory (SA-ldapsearch)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service for Splunk's Active Directory integration functionality, potentially disrupting authentication, user management, and data collection from AD sources.
Likely Case
Degraded performance of the SA-ldapsearch add-on, causing timeouts or failures in Active Directory queries and synchronization tasks.
If Mitigated
Minimal impact with proper input validation and rate limiting in place, though the vulnerable code path remains exploitable.
🎯 Exploit Status
Exploitation requires the ability to send input that gets processed by the vulnerable regex pattern, which typically means having access to modify AD data or interface with the add-on.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.1.1 or higher
Vendor Advisory: https://advisory.splunk.com/advisories/SVD-2025-0103
Restart Required: Yes
Instructions:
1. Download SA-ldapsearch version 3.1.1 or higher from Splunkbase. 2. In Splunk Web, navigate to Apps > Manage Apps. 3. Click 'Install app from file' and upload the new version. 4. Restart Splunk services to apply the update.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement additional input validation for any data that flows through the SA-ldapsearch add-on to prevent malicious regex patterns.
Rate Limiting
allApply rate limiting to requests processed by the SA-ldapsearch add-on to mitigate DoS impact.
🧯 If You Can't Patch
- Isolate the Splunk instance with the vulnerable add-on from untrusted networks and users.
- Monitor for unusual performance degradation or timeout patterns in SA-ldapsearch operations.
🔍 How to Verify
Check if Vulnerable:
Check the SA-ldapsearch add-on version in Splunk Web: Apps > Manage Apps, look for 'Splunk Supporting Add-on for Active Directory' and verify version is 3.1.0 or lower.Check Version:
On Splunk server: grep -r 'version' /opt/splunk/etc/apps/SA-ldapsearch/default/app.conf | grep 'version ='Verify Fix Applied:
After updating, verify the add-on shows version 3.1.1 or higher in Apps > Manage Apps, and test Active Directory queries function normally.📡 Detection & Monitoring
Log Indicators:
- Unusual regex processing times in splunkd.log
- SA-ldapsearch timeouts or failures
- High CPU usage by splunkd process during AD queries
Network Indicators:
- Repeated failed LDAP queries from Splunk server
- Unusual patterns in AD query traffic
SIEM Query:
index=_internal source=*splunkd.log "SA-ldapsearch" (timeout OR "took too long" OR "regex")