CVE-2025-20387 – This vulnerability allows non-administrator use... (How to Fix)

Q: What is the severity of CVE-2025-20387?

CVE-2025-20387 has a CVSS score of 8.0 (HIGH). This vulnerability allows non-administrator users on Windows systems to access the Splunk Universal Forwarder installation directory and all its contents after new installation or upgrade. This affects Windows installations of Splunk Universal Forwarder versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10.

📋 TL;DR

This vulnerability allows non-administrator users on Windows systems to access the Splunk Universal Forwarder installation directory and all its contents after new installation or upgrade. This affects Windows installations of Splunk Universal Forwarder versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10.

💻 Affected Systems

Products:

Splunk Universal Forwarder

Versions: Windows versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects new installations or upgrades to affected versions. Existing installations not upgraded remain vulnerable if directory permissions were not manually corrected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Non-admin users could read sensitive configuration files, modify forwarder settings, inject malicious code, or access credentials stored in the installation directory, potentially leading to data exfiltration or lateral movement.

🟠

Likely Case

Unauthorized users reading configuration files, discovering network targets, or accessing logs containing sensitive information.

🟢

If Mitigated

Limited impact if proper access controls and monitoring are in place to detect unauthorized directory access.

🌐 Internet-Facing: LOW - This is a local privilege issue requiring local user access to the Windows machine.

🏢 Internal Only: HIGH - Any non-admin user on affected Windows systems can exploit this vulnerability locally.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local non-admin user access to the Windows machine. No authentication bypass needed beyond having a local user account.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.0.2, 9.4.6, 9.3.8, or 9.2.10

Vendor Advisory: https://advisory.splunk.com/advisories/SVD-2025-1206

Restart Required: Yes

Instructions:

1. Download the patched version from Splunk's website. 2. Run the installer as administrator. 3. Follow upgrade prompts. 4. Restart the Universal Forwarder service.

🔧 Temporary Workarounds

Manual Directory Permission Correction

windows

Manually set correct permissions on the Splunk Universal Forwarder installation directory to restrict access to administrators only.

icacls "C:\Program Files\SplunkUniversalForwarder" /inheritance:r /grant:r "Administrators:(OI)(CI)F" /grant:r "SYSTEM:(OI)(CI)F"

🧯 If You Can't Patch

Implement strict access controls and monitoring on the Splunk Universal Forwarder directory
Restrict local user access to affected Windows machines and implement least privilege principles

🔍 How to Verify

Check if Vulnerable:

Check if non-administrator users can access the Splunk Universal Forwarder installation directory (typically C:\Program Files\SplunkUniversalForwarder).

Check Version:

Navigate to SplunkUniversalForwarder\bin directory and run: splunk version

Verify Fix Applied:

Verify that only Administrators and SYSTEM have full control permissions on the installation directory after patching.

📡 Detection & Monitoring

Log Indicators:

Windows Security event logs showing unauthorized access attempts to Splunk directories
Splunk forwarder logs showing configuration changes from non-admin users

Network Indicators:

Unusual outbound connections from Splunk forwarder to unexpected destinations

SIEM Query:

source="WinEventLog:Security" EventCode=4663 ObjectName="*SplunkUniversalForwarder*" SubjectUserName!="SYSTEM" SubjectUserName!="*Administrator*"

📊 Metadata

CVE ID: CVE-2025-20387

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-732

EPSS Score: 0.03% exploit probability (9.5th percentile)

Published: December 3, 2025

Last Updated: December 5, 2025

🔗 References

https://advisory.splunk.com/advisories/SVD-2025-1206 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-20387, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Splunk by Splunk

Splunk by Splunk

Splunk by Splunk

Splunk by Splunk

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Manual Directory Permission Correction

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities