Overview CVE-2025-34319 describes a critical OS command injection vulnerability affecting TOTOLINK N300RT wireless routers. This vulnerability allows an unauthenticated attacker to execute arbitrary commands on the router’s operating system. Firmware versions prior to V3.4.0-B20250430 are affected, with the vulnerability being discovered in version V2.1.8-B20201030.1539. Technical Details The vulnerability resides in the Boa web server’s handling of the formWsc functionality. Specifically, the targetAPSsid request parameter is susceptible to command injection. An attacker can craft a malicious HTTP request containing shell metacharacters within the targetAPSsid parameter. When processed by the vulnerable firmware, these metacharacters are interpreted as OS commands, leading to arbitrary…
-
-
Overview CVE-2025-20389 describes a medium-severity client-side Denial of Service (DoS) vulnerability found in Splunk Secure Gateway when used with Splunk Enterprise and Splunk Cloud Platform. This vulnerability allows a low-privileged user without “admin” or “power” roles to craft a malicious payload within the `label` column field when adding a new device. This crafted payload can then trigger a DoS condition within the application’s client-side components. Technical Details The vulnerability resides in the Splunk Secure Gateway app’s device management functionality. A low-privileged user can add a new device and, critically, manipulate the `label` field to include a payload designed to consume…
-
Overview CVE-2025-20388 is a low-severity vulnerability affecting Splunk Enterprise and Splunk Cloud Platform. It allows a user with the change_authentication capability to potentially enumerate internal IP addresses and network ports when adding new search peers to a Splunk search head in a distributed environment. This vulnerability could be exploited to gather information about the internal network infrastructure. Technical Details The vulnerability exists because a user possessing the change_authentication capability, when adding a search peer, can trigger functionality that exposes internal network details. Specifically, the process of adding a new search peer involves communication with that peer, and the way this…
-
Published: 2025-12-03 Overview CVE-2025-20387 is a high-severity vulnerability affecting Splunk Universal Forwarder for Windows versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10. This vulnerability arises from incorrect permissions being assigned to the Universal Forwarder installation directory during a new installation or upgrade process. This flaw allows non-administrator users on the affected machine to gain unauthorized access to the installation directory and its contents. Technical Details The root cause of CVE-2025-20387 lies in the installation or upgrade scripts of affected Splunk Universal Forwarder versions. These scripts incorrectly set the permissions on the installation directory, granting broader access than intended. This misconfiguration enables…
-
Overview CVE-2025-20386 is a high-severity vulnerability affecting Splunk Enterprise for Windows versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10. This vulnerability stems from incorrect permissions assignment during a new installation or upgrade, potentially granting unauthorized access to sensitive data and system resources to non-administrator users. Technical Details The vulnerability lies in the way Splunk Enterprise for Windows assigns permissions to the installation directory during the setup or upgrade process. In affected versions, the permissions granted inadvertently allow non-administrator users to access the Splunk Enterprise installation directory and all of its contents. This includes configuration files, logs, and potentially even executable files.…
-
Overview CVE-2025-20385 is a reported Cross-Site Scripting (XSS) vulnerability affecting Splunk Enterprise and Splunk Cloud Platform. Specifically, a user with the high-privilege `admin_all_objects` capability can inject malicious JavaScript code via a crafted payload within the `href` attribute of an anchor tag in the navigation bar. This code can then be executed in the browser of another user interacting with the same navigation bar. Technical Details The vulnerability lies in the way Splunk handles user-defined content within the navigation bar’s collections. A user possessing the `admin_all_objects` capability, which grants broad administrative privileges, can manipulate the `href` attribute of anchor tags within…
-
Overview CVE-2025-20384 is a medium-severity vulnerability affecting Splunk Enterprise and Splunk Cloud Platform. This security flaw allows an unauthenticated attacker to inject American National Standards Institute (ANSI) escape codes into Splunk log files. Due to improper validation at the /en-US/static/ web endpoint, specially crafted HTTP requests can be used to poison, forge, or obfuscate sensitive log data. This could significantly impact log integrity and detection capabilities, potentially masking malicious activity. Technical Details The vulnerability stems from insufficient input validation at the /en-US/static/ web endpoint in Splunk. This allows an attacker to send HTTP requests containing ANSI escape codes. These escape…
-
Overview CVE-2025-20383 is a medium-severity vulnerability affecting Splunk Enterprise and the Splunk Secure Gateway app in Splunk Cloud Platform. This flaw allows a low-privileged user, lacking “admin” or “power” roles, who subscribes to mobile push notifications to potentially receive sensitive information, namely the title and description of reports or alerts they shouldn’t have access to. This data exposure occurs because the push notifications are not properly checking user permissions before delivering alert details. Technical Details The vulnerability resides in the mobile push notification functionality of Splunk. When a report or alert is triggered and configured to send push notifications, the…
-
Overview This article provides a comprehensive overview of CVE-2025-20382, a low-severity unvalidated redirect vulnerability affecting Splunk Enterprise and Splunk Cloud Platform. This vulnerability could allow a low-privileged user to potentially redirect other users to a malicious external site via a specially crafted dashboard URL. It’s crucial to understand the details of this vulnerability and take appropriate mitigation steps to protect your Splunk environment. Technical Details CVE-2025-20382 exists due to insufficient validation of URLs used in custom dashboard backgrounds within Splunk. Specifically, a low-privileged user without “admin” or “power” roles can create a views dashboard with a custom background image using…
-
Overview CVE-2025-20381 is a medium severity vulnerability affecting Splunk MCP Server app versions below 0.2.4. This vulnerability allows a user with access to the “run_splunk_query” Model Context Protocol (MCP) tool to bypass the intended SPL command allowlist controls. By embedding SPL commands as sub-searches within their queries, attackers can execute unauthorized actions, potentially compromising the security and integrity of the Splunk environment. Technical Details The vulnerability stems from insufficient validation of SPL commands submitted through the “run_splunk_query” MCP tool. The MCP tool is designed to restrict users to a pre-defined set of allowed SPL commands. However, the validation mechanism fails…