CVE-2025-20384
📋 TL;DR
An unauthenticated attacker can inject ANSI escape codes into Splunk log files via the /en-US/static/ endpoint, allowing them to manipulate or obfuscate log data. This affects Splunk Enterprise versions below 10.0.1, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.4, 10.0.2503.6, and 9.3.2411.117.125. The vulnerability impacts log integrity and detection capabilities.
💻 Affected Systems
- Splunk Enterprise
- Splunk Cloud Platform
📦 What is this software?
Splunk by Splunk
Splunk by Splunk
Splunk by Splunk
Splunk by Splunk
⚠️ Risk & Real-World Impact
Worst Case
Attackers forge or hide critical security events in logs, enabling undetected persistence and compromising forensic investigations.
Likely Case
Log data corruption or obfuscation that disrupts monitoring, alerting, and compliance reporting.
If Mitigated
Minimal impact if logs are validated externally or the endpoint is restricted, though log integrity remains at risk.
🎯 Exploit Status
Exploitation requires sending crafted HTTP requests to the vulnerable endpoint; no authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Splunk Enterprise: 10.0.1, 9.4.6, 9.3.8, 9.2.10; Splunk Cloud Platform: 10.1.2507.4, 10.0.2503.6, 9.3.2411.117.125
Vendor Advisory: https://advisory.splunk.com/advisories/SVD-2025-1203
Restart Required: Yes
Instructions:
1. Download the patched version from Splunk's official site. 2. Backup your Splunk configuration and data. 3. Install the update following Splunk's upgrade documentation. 4. Restart Splunk services to apply changes.
🔧 Temporary Workarounds
Restrict Access to /en-US/static/ Endpoint
allUse web server or firewall rules to block unauthenticated access to the vulnerable endpoint.
# Example for Apache: <Location "/en-US/static/"> Require valid-user </Location>
# Example for Nginx: location /en-US/static/ { deny all; }
🧯 If You Can't Patch
- Implement network segmentation to limit access to Splunk instances from untrusted networks.
- Deploy a WAF or reverse proxy to filter malicious HTTP requests targeting the /en-US/static/ endpoint.
🔍 How to Verify
Check if Vulnerable:
Check Splunk version via web interface or CLI; if below patched versions and /en-US/static/ is accessible, assume vulnerable.Check Version:
On Splunk server: splunk versionVerify Fix Applied:
Confirm Splunk version is at or above patched versions and test that ANSI code injection via /en-US/static/ no longer affects logs.📡 Detection & Monitoring
Log Indicators:
- Unusual ANSI escape sequences in Splunk log files
- HTTP requests to /en-US/static/ with encoded payloads
Network Indicators:
- HTTP traffic to Splunk instances containing ANSI codes in request parameters
SIEM Query:
index=_internal sourcetype=splunkd_access uri="/en-US/static/*" | search *\x1b* OR *\033*