CVE-2025-20383 – This vulnerability allows low-privileged Splunk... (How to Fix)

Q: What is the severity of CVE-2025-20383?

CVE-2025-20383 has a CVSS score of 4.3 (MEDIUM). This vulnerability allows low-privileged Splunk users who subscribe to mobile push notifications to receive notification titles and descriptions for reports or alerts they don't have permission to view. It affects Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Secure Gateway app versions below 3.9.10, 3.8.58, and 3.7.28 in Splunk Cloud Platform.

📋 TL;DR

This vulnerability allows low-privileged Splunk users who subscribe to mobile push notifications to receive notification titles and descriptions for reports or alerts they don't have permission to view. It affects Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Secure Gateway app versions below 3.9.10, 3.8.58, and 3.7.28 in Splunk Cloud Platform.

💻 Affected Systems

Products:

Splunk Enterprise
Splunk Secure Gateway app

Versions: Splunk Enterprise: below 10.0.2, 9.4.6, 9.3.8, 9.2.10; Splunk Secure Gateway: below 3.9.10, 3.8.58, 3.7.28

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Requires mobile push notification subscription feature to be enabled and used.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive information from restricted reports/alerts is disclosed to unauthorized users, potentially revealing confidential business intelligence, security findings, or operational data.

🟠

Likely Case

Low-privileged users inadvertently gain visibility into report/alert metadata they shouldn't see, creating information leakage but not full report access.

🟢

If Mitigated

Information disclosure limited to notification metadata only, with no access to actual report content or alert details.

🌐 Internet-Facing: LOW - This requires authenticated user access and mobile notification subscription.

🏢 Internal Only: MEDIUM - Internal users with low privileges could access sensitive report metadata they shouldn't see.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires a legitimate low-privileged user account and mobile notification subscription.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Splunk Enterprise: 10.0.2, 9.4.6, 9.3.8, 9.2.10; Splunk Secure Gateway: 3.9.10, 3.8.58, 3.7.28

Vendor Advisory: https://advisory.splunk.com/advisories/SVD-2025-1202

Restart Required: Yes

Instructions:

1. Download appropriate patched version from Splunk downloads page. 2. Backup current installation. 3. Install update following Splunk upgrade documentation. 4. Restart Splunk services.

🔧 Temporary Workarounds

Disable mobile push notifications

all

Temporarily disable mobile push notification feature to prevent information disclosure.

Navigate to Settings > Server settings > Mobile push notifications > Disable

Restrict notification subscriptions

all

Limit which users can subscribe to mobile notifications through role-based access controls.

Edit role permissions to remove 'subscribe_to_notifications' capability

🧯 If You Can't Patch

Review and audit all user roles to ensure proper separation of duties
Monitor notification logs for unusual access patterns to restricted reports

🔍 How to Verify

Check if Vulnerable:

Check Splunk version via web interface (Settings > Server Info) or command line, compare against affected versions.

Check Version:

On Splunk server: $SPLUNK_HOME/bin/splunk version

Verify Fix Applied:

After patching, verify version is at or above patched versions, test notification permissions with low-privileged user.

📡 Detection & Monitoring

Log Indicators:

Audit logs showing notification access to reports by unauthorized users
Mobile notification delivery logs with sensitive metadata

Network Indicators:

Increased mobile notification traffic to low-privileged users

SIEM Query:

index=_audit action=notification user=* NOT (role=admin OR role=power) | search report_title=*

📊 Metadata

CVE ID: CVE-2025-20383

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-200

EPSS Score: 0.04% exploit probability (12.9th percentile)

Published: December 3, 2025

Last Updated: December 5, 2025

🔗 References

https://advisory.splunk.com/advisories/SVD-2025-1202 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-20383, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Splunk by Splunk

Splunk by Splunk

Splunk by Splunk

Splunk by Splunk

Splunk Cloud Platform by Splunk

Splunk Cloud Platform by Splunk

Splunk Cloud Platform by Splunk

Splunk Secure Gateway by Splunk

Splunk Secure Gateway by Splunk

Splunk Secure Gateway by Splunk

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable mobile push notifications

Restrict notification subscriptions

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities