CVE-2025-20298
📋 TL;DR
This vulnerability allows non-administrator users on Windows systems to access the Splunk Universal Forwarder installation directory and all its contents due to incorrect permissions assignment during installation or upgrade. This affects Universal Forwarder for Windows versions below 9.4.2, 9.3.4, 9.2.6, and 9.1.9. The issue occurs during new installations or upgrades to affected versions.
💻 Affected Systems
- Splunk Universal Forwarder for Windows
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Non-administrator users could read sensitive configuration files, modify forwarder settings, inject malicious code, or tamper with data collection, potentially leading to data exfiltration, privilege escalation, or forwarder compromise.
Likely Case
Unauthorized users accessing configuration files containing credentials, server addresses, or sensitive data collection parameters, potentially enabling further system compromise.
If Mitigated
Limited impact if proper access controls and monitoring are in place, though the vulnerability still presents an unnecessary attack surface.
🎯 Exploit Status
Exploitation requires local non-administrator access to the Windows system. The vulnerability is straightforward to exploit once local access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.4.2, 9.3.4, 9.2.6, or 9.1.9 (depending on your version track)
Vendor Advisory: https://advisory.splunk.com/advisories/SVD-2025-0602
Restart Required: Yes
Instructions:
1. Download the appropriate patched version from Splunk's website. 2. Run the installer to upgrade your Universal Forwarder. 3. Restart the Universal Forwarder service. 4. Verify the directory permissions are correctly set.
🔧 Temporary Workarounds
Manual Directory Permission Fix
windowsManually set correct permissions on the Universal Forwarder installation directory to restrict access to administrators only.
icacls "C:\Program Files\SplunkUniversalForwarder" /inheritance:r /grant:r "Administrators:(OI)(CI)F" /grant:r "SYSTEM:(OI)(CI)F"
🧯 If You Can't Patch
- Apply the manual directory permission fix using icacls command to restrict access
- Implement strict access controls and monitoring on affected systems, particularly limiting non-administrator user access
🔍 How to Verify
Check if Vulnerable:
Check if non-administrator users can access C:\Program Files\SplunkUniversalForwarder directory and its contents. Also verify Universal Forwarder version is below the patched versions.Check Version:
splunk versionVerify Fix Applied:
Verify that only Administrators and SYSTEM have full control permissions on the installation directory. Confirm Universal Forwarder version is 9.4.2, 9.3.4, 9.2.6, or 9.1.9 or higher.📡 Detection & Monitoring
Log Indicators:
- Windows Security Event Logs showing unauthorized access attempts to SplunkUniversalForwarder directory
- Splunk forwarder logs showing configuration changes or unusual activity
Network Indicators:
- Unusual outbound connections from forwarder systems that may indicate data exfiltration
SIEM Query:
index=windows EventCode=4663 ObjectName="*SplunkUniversalForwarder*" | stats count by AccountName, ObjectName