CVE-2025-20230
📋 TL;DR
This CVE allows low-privileged Splunk users without admin or power roles to edit and delete other users' data in App Key Value Store (KVStore) collections created by the Splunk Secure Gateway app. The vulnerability affects Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8, and Splunk Secure Gateway app versions below 3.8.38 and 3.7.23 on Splunk Cloud Platform.
💻 Affected Systems
- Splunk Enterprise
- Splunk Secure Gateway app
📦 What is this software?
Splunk by Splunk
Splunk by Splunk
Splunk by Splunk
Splunk by Splunk
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized users could delete or modify critical KVStore data used by the Splunk Secure Gateway app, potentially disrupting gateway functionality and causing data integrity issues.
Likely Case
Low-privileged users could tamper with KVStore collections they shouldn't have access to, leading to data manipulation or deletion within the affected collections.
If Mitigated
With proper access controls and role-based permissions, only authorized users can access KVStore collections, preventing unauthorized modifications.
🎯 Exploit Status
Exploitation requires authenticated access with any non-admin, non-power user role. The vulnerability is in access control logic, not a complex technical flaw.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Splunk Enterprise: 9.4.1, 9.3.3, 9.2.5, 9.1.8; Splunk Secure Gateway app: 3.8.38, 3.7.23
Vendor Advisory: https://advisory.splunk.com/advisories/SVD-2025-0307
Restart Required: Yes
Instructions:
1. Upgrade Splunk Enterprise to patched version. 2. Upgrade Splunk Secure Gateway app to patched version. 3. Restart Splunk services.
🔧 Temporary Workarounds
Restrict user access
allTemporarily restrict low-privileged user access to Splunk Secure Gateway app functionality
🧯 If You Can't Patch
- Review and audit user roles to ensure only necessary users have access to Splunk Secure Gateway app
- Implement additional monitoring on KVStore collection access and modifications
🔍 How to Verify
Check if Vulnerable:
Check Splunk Enterprise version and Splunk Secure Gateway app version against affected versions listCheck Version:
splunk versionVerify Fix Applied:
Verify Splunk Enterprise and Splunk Secure Gateway app versions match or exceed patched versions📡 Detection & Monitoring
Log Indicators:
- Unauthorized KVStore collection modifications by non-admin users
- Access denied errors in Splunk audit logs
SIEM Query:
index=_audit action=kvstore user!=admin user!=power