CVE-2025-20373
📋 TL;DR
The Splunk Add-on for Palo Alto Networks versions below 2.0.2 exposes client secrets in plain text in the _internal index when adding new Data Security Accounts. This vulnerability requires either local access to log files or administrative access to internal indexes, affecting Splunk instances with the vulnerable add-on installed.
💻 Affected Systems
- Splunk Add-on for Palo Alto Networks
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker with access to internal logs could extract client secrets, potentially compromising authentication to Palo Alto Networks services and enabling unauthorized access to security data.
Likely Case
Authorized administrators with internal index access could inadvertently view sensitive credentials, leading to potential credential exposure within the organization.
If Mitigated
With proper role-based access controls restricting internal index access to only necessary administrators, the exposure risk is minimal.
🎯 Exploit Status
Exploitation requires existing access to Splunk system files or administrative privileges within Splunk.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.2
Vendor Advisory: https://advisory.splunk.com/advisories/SVD-2025-1105
Restart Required: No
Instructions:
1. Navigate to Splunk Web interface. 2. Go to Apps > Manage Apps. 3. Find 'Splunk Add-on for Palo Alto Networks'. 4. Click 'Upgrade' and select version 2.0.2 or higher. 5. Follow the upgrade prompts.
🔧 Temporary Workarounds
Restrict Internal Index Access
allLimit access to _internal index to only administrator-level roles as recommended in the advisory.
🧯 If You Can't Patch
- Review and restrict role-based access to _internal index to only essential administrator accounts
- Implement strict access controls on Splunk server file systems to prevent unauthorized local access
🔍 How to Verify
Check if Vulnerable:
Check the add-on version in Splunk Web: Apps > Manage Apps > Splunk Add-on for Palo Alto Networks > VersionCheck Version:
| rest /services/apps/local | search label="Splunk Add-on for Palo Alto Networks" | table label versionVerify Fix Applied:
Verify the add-on version is 2.0.2 or higher in the Apps management interface📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to _internal index
- Suspicious queries targeting client secret fields in logs
SIEM Query:
index=_internal sourcetype="splunkd_access" (uri="*/services/data/inputs/*" OR uri="*/servicesNS/*") | search *secret* OR *password* OR *credential*