CVE-2025-20385
📋 TL;DR
This is a stored cross-site scripting (XSS) vulnerability in Splunk Enterprise and Splunk Cloud Platform. An authenticated user with admin_all_objects privilege can inject malicious JavaScript into navigation bar collections, which executes in other users' browsers when they view the affected navigation. This affects Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below specific patch levels.
💻 Affected Systems
- Splunk Enterprise
- Splunk Cloud Platform
📦 What is this software?
Splunk by Splunk
Splunk by Splunk
Splunk by Splunk
Splunk by Splunk
⚠️ Risk & Real-World Impact
Worst Case
Privileged attacker steals session cookies, performs actions as other users, or compromises administrator accounts leading to full system takeover.
Likely Case
Privileged insider or compromised admin account performs limited session hijacking or data exfiltration from other users' sessions.
If Mitigated
Limited impact due to proper role-based access controls and regular patching.
🎯 Exploit Status
Exploitation requires authenticated user with admin_all_objects privilege. Attack is stored XSS that affects other users viewing the navigation bar.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Splunk Enterprise: 10.0.2, 9.4.6, 9.3.8, 9.2.10; Splunk Cloud Platform: 10.1.2507.6, 10.0.2503.7, 9.3.2411.117
Vendor Advisory: https://advisory.splunk.com/advisories/SVD-2025-1204
Restart Required: Yes
Instructions:
1. Download appropriate patch from Splunk downloads. 2. Backup configuration. 3. Stop Splunk. 4. Apply patch. 5. Restart Splunk. 6. Verify version.
🔧 Temporary Workarounds
Restrict admin_all_objects capability
allReview and limit users with admin_all_objects capability to only essential personnel.
Implement Content Security Policy
allAdd CSP headers to restrict script execution from unauthorized sources.
🧯 If You Can't Patch
- Review and audit all users with admin_all_objects capability, removing unnecessary access.
- Implement network segmentation to isolate Splunk instances from critical systems.
🔍 How to Verify
Check if Vulnerable:
Check Splunk version via web interface or CLI. Compare against affected versions list.Check Version:
$SPLUNK_HOME/bin/splunk versionVerify Fix Applied:
Confirm version is at or above patched versions. Test navigation bar functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual modifications to navigation bar collections
- Multiple failed login attempts followed by successful admin login
- Unexpected JavaScript in navigation configurations
Network Indicators:
- Unusual outbound connections from Splunk server following admin user activity
SIEM Query:
index=_internal source=*web_access.log ("POST /servicesNS/*" OR "PUT /servicesNS/*") | search *navigation* OR *collection* | stats count by user, clientip