CVE-2025-20370 – This vulnerability allows authenticated Splunk ... (How to Fix)

Q: What is the severity of CVE-2025-20370?

CVE-2025-20370 has a CVSS score of 4.9 (MEDIUM). This vulnerability allows authenticated Splunk users with the 'change_authentication' capability to send multiple LDAP bind requests to a specific internal endpoint, causing high CPU usage that can lead to denial of service (DoS). Affected systems include Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below specific patch levels.

📋 TL;DR

This vulnerability allows authenticated Splunk users with the 'change_authentication' capability to send multiple LDAP bind requests to a specific internal endpoint, causing high CPU usage that can lead to denial of service (DoS). Affected systems include Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below specific patch levels.

💻 Affected Systems

Products:

Splunk Enterprise
Splunk Cloud Platform

Versions: Splunk Enterprise: below 10.0.1, 9.4.4, 9.3.6, 9.2.8; Splunk Cloud Platform: below 9.3.2411.108, 9.3.2408.118, 9.2.2406.123

Operating Systems: All supported platforms

Default Config Vulnerable: ✅ No

Notes: Only affects systems where LDAP authentication is configured and users have the 'change_authentication' capability.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service requiring restart of the Splunk instance, disrupting monitoring, logging, and security operations.

🟠

Likely Case

Performance degradation and intermittent service disruption affecting Splunk functionality.

🟢

If Mitigated

Minimal impact if proper access controls and monitoring are in place to detect abnormal LDAP activity.

🌐 Internet-Facing: MEDIUM - Requires authenticated user with specific privilege, but internet-facing instances could be targeted by compromised accounts.

🏢 Internal Only: MEDIUM - Internal users with the required capability could intentionally or accidentally trigger the DoS condition.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Requires authenticated user with specific privilege and knowledge of the internal endpoint.

Exploitation requires the 'change_authentication' capability, which is typically assigned to administrative roles.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Splunk Enterprise: 10.0.1, 9.4.4, 9.3.6, 9.2.8; Splunk Cloud Platform: 9.3.2411.108, 9.3.2408.118, 9.2.2406.123

Vendor Advisory: https://advisory.splunk.com/advisories/SVD-2025-1005

Restart Required: Yes

Instructions:

1. Backup your Splunk configuration. 2. Download the appropriate patch from Splunk's website. 3. Stop Splunk services. 4. Apply the patch following Splunk's upgrade documentation. 5. Restart Splunk services. 6. Verify the version is updated.

🔧 Temporary Workarounds

Restrict 'change_authentication' capability

all

Remove the 'change_authentication' capability from non-essential user roles to limit potential attackers.

Monitor LDAP authentication requests

all

Implement monitoring for abnormal LDAP bind request patterns to detect potential exploitation attempts.

🧯 If You Can't Patch

Review and restrict user roles with 'change_authentication' capability to only essential administrators.
Implement rate limiting or monitoring for LDAP authentication endpoints to detect and block abuse.

🔍 How to Verify

Check if Vulnerable:

Check Splunk version via web interface or CLI and compare against affected versions. Verify if any users have 'change_authentication' capability.

Check Version:

On Splunk server: $SPLUNK_HOME/bin/splunk version

Verify Fix Applied:

Confirm Splunk version is at or above patched versions. Test that users with 'change_authentication' capability cannot trigger excessive LDAP requests.

📡 Detection & Monitoring

Log Indicators:

High frequency of LDAP bind requests from single users
Unusual CPU spikes on Splunk servers
Authentication endpoint access logs showing repetitive patterns

Network Indicators:

Increased traffic to Splunk LDAP authentication endpoints
Abnormal request patterns to internal Splunk APIs

SIEM Query:

index=_internal source=*splunkd* (LDAP OR authentication) | stats count by user, source | where count > threshold

📊 Metadata

CVE ID: CVE-2025-20370

CVSS v3 Score: 4.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

EPSS Score: 0.18% exploit probability (38.9th percentile)

Published: October 1, 2025

Last Updated: October 8, 2025

🔗 References

https://advisory.splunk.com/advisories/SVD-2025-1005 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-20370, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Splunk by Splunk

Splunk by Splunk

Splunk by Splunk

Splunk by Splunk

Splunk Cloud Platform by Splunk

Splunk Cloud Platform by Splunk

Splunk Cloud Platform by Splunk

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict 'change_authentication' capability

Monitor LDAP authentication requests

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities