.png){kind=logo}
Critical RCE Vulnerability CVE-2025-20229 in Splunk Enterprise and Cloud: Patch Now
- Rescana
- Mar 27
- 3 min read
Executive Summary
The critical Remote Code Execution (RCE) vulnerability identified as CVE-2025-20229 within Splunk Enterprise and Splunk Cloud Platform has been published under the advisory SVD-2025-0301. With a significant CVSSv3.1 Score of 8.0, this flaw allows a low-privileged user to upload malicious files to the vulnerable directory
Technical Information
CVE-2025-20229 delineates a serious vulnerability in the Splunk Enterprise and Cloud platforms, characterized by inadequate authorization checks that lead to RCE. This flaw resides in the mechanism that handles file uploads, specifically targeting the directory
The affected versions of Splunk Enterprise range from 9.3.0 to 9.3.2, 9.2.0 to 9.2.4, and 9.1.0 to 9.1.7. For the Splunk Cloud Platform, affected versions include 9.3.2408.100 to 9.3.2408.103, 9.2.2406.100 to 9.2.2406.107, versions below 9.2.2403.113, and below 9.1.2312.207. Splunk has released fixes in versions 9.3.3, 9.2.5, 9.1.8 for Enterprise, and 9.3.2408.104, 9.2.2406.108, 9.2.2403.114, 9.1.2312.208 for the Cloud Platform. Affected organizations should promptly apply these updates to secure their systems against potential exploitation.
Exploitation in the Wild
As of this report, there are no confirmed instances of CVE-2025-20229 being exploited in the wild. Additionally, there are no publicly available exploits targeting this specific vulnerability. Continuous monitoring of security channels and threat intelligence feeds is advised to detect any emerging threats.
APT Groups using this vulnerability
Currently, there are no known Advanced Persistent Threat (APT) groups or threat actors actively exploiting this vulnerability in their operations.
Affected Product Versions
The vulnerability pertains to Splunk Enterprise versions 9.3.0 to 9.3.2, 9.2.0 to 9.2.4, and 9.1.0 to 9.1.7, with fixes available in 9.3.3, 9.2.5, and 9.1.8. For the Splunk Cloud Platform, affected versions are 9.3.2408.100 to 9.3.2408.103, 9.2.2406.100 to 9.2.2406.107, and those below 9.2.2403.113 and 9.1.2312.207, with patches provided in 9.3.2408.104, 9.2.2406.108, 9.2.2403.114, and 9.1.2312.208. Organizations using these versions should prioritize the implementation of these updates.
Workaround and Mitigation
To mitigate the risk posed by CVE-2025-20229, Splunk has issued critical updates for affected versions. Users are urged to upgrade to the latest patched releases as detailed above. In addition to patching, it is advisable to enforce strict access controls and regularly audit systems for unauthorized activity. Network segmentation and implementing robust monitoring mechanisms can further reduce risk exposure.
References
For more detailed information, please refer to the following resources: - Splunk Advisory SVD-2025-0301 - NVD CVE-2025-20229
Rescana is here for you
Rescana is committed to supporting our clients in navigating the complexities of cybersecurity vulnerabilities. Our Third Party Risk Management (TPRM) platform is designed to help you identify and mitigate risks associated with your third-party relationships, ensuring your organization remains secure. Should you have any questions regarding this advisory or other cybersecurity concerns, please do not hesitate to reach out to us at ops@rescana.com.