CVE-2025-22621
📋 TL;DR
CVE-2025-22621 is an improper access control vulnerability in Splunk App for SOAR where following the official documentation's recommendation to add the 'admin_all_objects' capability to the 'splunk_app_soar' role grants excessive privileges to non-admin users. This affects organizations using Splunk App for SOAR versions 1.0.67 and lower where the vulnerable configuration was implemented. Attackers with low-privileged Splunk accounts could gain unauthorized access to sensitive data and administrative functions.
💻 Affected Systems
- Splunk App for SOAR
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker with any non-admin Splunk account could gain full administrative control over the Splunk App for SOAR, potentially accessing sensitive security orchestration data, modifying automation workflows, and compromising the entire SOAR environment.
Likely Case
Low-privileged users could access and modify SOAR objects they shouldn't have permission to, leading to data exposure, unauthorized workflow changes, and privilege escalation within the SOAR environment.
If Mitigated
With proper role-based access controls and following updated documentation, users only have appropriate permissions for their roles, preventing unauthorized access to SOAR objects.
🎯 Exploit Status
Exploitation requires a valid Splunk user account (even low-privileged) and the vulnerable configuration to be in place. The attack is straightforward once these conditions are met.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.68 or higher
Vendor Advisory: https://advisory.splunk.com/advisories/SVD-2025-0101
Restart Required: Yes
Instructions:
1. Update Splunk App for SOAR to version 1.0.68 or higher via Splunk Web or command line. 2. Restart Splunk Enterprise. 3. Review and update role configurations to remove 'admin_all_objects' capability from 'splunk_app_soar' role if previously added.
🔧 Temporary Workarounds
Remove excessive capability from role
allManually remove the 'admin_all_objects' capability from the 'splunk_app_soar' role configuration
splunk edit user splunk_app_soar -capability -admin_all_objects
🧯 If You Can't Patch
- Immediately remove the 'admin_all_objects' capability from the 'splunk_app_soar' role configuration
- Implement strict access controls and audit all user activities in the SOAR environment
🔍 How to Verify
Check if Vulnerable:
Check if 'admin_all_objects' capability is assigned to 'splunk_app_soar' role: splunk list user splunk_app_soar -auth admin:changeme | grep capabilitiesCheck Version:
splunk display app splunk_app_soar -auth admin:changeme | grep versionVerify Fix Applied:
Verify the capability is removed and app version is 1.0.68+: splunk display app splunk_app_soar -auth admin:changeme📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to SOAR objects
- Privilege escalation events in Splunk audit logs
- Unexpected modifications to SOAR workflows or configurations
Network Indicators:
- Unusual API calls to SOAR endpoints from non-admin accounts
SIEM Query:
index=_audit action=access_denied app=splunk_app_soar | stats count by user