CVE-2025-20389 – A low-privileged user without admin or power ro... (How to Fix)

Q: What is the severity of CVE-2025-20389?

CVE-2025-20389 has a CVSS score of 4.3 (MEDIUM). A low-privileged user without admin or power roles can craft a malicious payload in the label column field when adding a new device in the Splunk Secure Gateway app, potentially causing client-side denial of service. This affects Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Secure Gateway app versions below 3.9.10, 3.8.58, and 3.7.28 on Splunk Cloud Platform.

📋 TL;DR

A low-privileged user without admin or power roles can craft a malicious payload in the label column field when adding a new device in the Splunk Secure Gateway app, potentially causing client-side denial of service. This affects Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Secure Gateway app versions below 3.9.10, 3.8.58, and 3.7.28 on Splunk Cloud Platform.

💻 Affected Systems

Products:

Splunk Enterprise
Splunk Secure Gateway app

Versions: Splunk Enterprise: below 10.0.2, 9.4.6, 9.3.8, 9.2.10; Splunk Secure Gateway app: below 3.9.10, 3.8.58, 3.7.28

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Splunk Secure Gateway app installed and low-privileged user access to device management features.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Client-side DoS affecting user interface functionality for targeted users or groups, potentially disrupting monitoring or management operations.

🟠

Likely Case

Limited client-side disruption affecting individual users who encounter the malicious payload, with no server-side impact.

🟢

If Mitigated

Minimal impact if proper access controls limit low-privileged user access to device management features.

🌐 Internet-Facing: LOW - Exploitation requires authenticated low-privileged user access and targets client-side effects.

🏢 Internal Only: MEDIUM - Internal users with low privileges could disrupt client-side operations for themselves or others.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated low-privileged user access and knowledge of payload crafting.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Splunk Enterprise: 10.0.2, 9.4.6, 9.3.8, 9.2.10; Splunk Secure Gateway app: 3.9.10, 3.8.58, 3.7.28

Vendor Advisory: https://advisory.splunk.com/advisories/SVD-2025-1208

Restart Required: Yes

Instructions:

1. Download appropriate patched version from Splunk website. 2. Backup current installation. 3. Apply patch following Splunk upgrade procedures. 4. Restart Splunk services.

🔧 Temporary Workarounds

Restrict device management access

all

Limit low-privileged user access to Splunk Secure Gateway device management features.

splunk edit user <username> -role <restricted_role> -auth admin:changeme

🧯 If You Can't Patch

Implement strict access controls to prevent low-privileged users from accessing device management in Splunk Secure Gateway.
Monitor and audit device management activities for suspicious label field entries.

🔍 How to Verify

Check if Vulnerable:

Check Splunk version via web interface (Settings > Server settings) or CLI with 'splunk version', and verify Splunk Secure Gateway app version in Apps management.

Check Version:

splunk version

Verify Fix Applied:

Confirm version numbers meet or exceed patched versions: Splunk Enterprise >=10.0.2, 9.4.6, 9.3.8, or 9.2.10; Splunk Secure Gateway app >=3.9.10, 3.8.58, or 3.7.28.

📡 Detection & Monitoring

Log Indicators:

Unusual device additions with malformed label fields in Splunk Secure Gateway logs
User activity logs showing low-privileged users accessing device management

Network Indicators:

No specific network indicators as this is client-side

SIEM Query:

index=_internal source=*secure_gateway* "label" | search NOT label="*normal*" | stats count by user, label

📊 Metadata

CVE ID: CVE-2025-20389

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-20

EPSS Score: 0.07% exploit probability (21.6th percentile)

Published: December 3, 2025

Last Updated: December 5, 2025

🔗 References

https://advisory.splunk.com/advisories/SVD-2025-1208 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-20389, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Splunk by Splunk

Splunk by Splunk

Splunk by Splunk

Splunk by Splunk

Splunk Cloud Platform by Splunk

Splunk Cloud Platform by Splunk

Splunk Cloud Platform by Splunk

Splunk Secure Gateway by Splunk

Splunk Secure Gateway by Splunk

Splunk Secure Gateway by Splunk

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict device management access

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities