A high-severity vulnerability has been disclosed in Splunk affecting its Enterprise and Universal Forwarder products for Windows, stemming from incorrect file permissions during installation and upgrades.
The vulnerability, tracked as CVE-2025-20386 for Splunk Enterprise and CVE-2025-20387 for Universal Forwarder.
Allows non-administrator users to access sensitive installation directories and their contents, creating a pathway for privilege escalation attacks.
Improper File Permissions to Gain Elevated System Access
The flaw emerges during fresh installations or version upgrades of affected Splunk products on Windows systems.
The installation process incorrectly assigns permissions to the default installation directories C:\Program Files\Splunk for Enterprise and C:\Program Files\SplunkUniversalForwarder for Universal Forwarder.
This misconfiguration grants unprivileged local users read and write access to sensitive configuration files.
| Metric | Details |
|---|---|
| CVE ID | CVE-2025-20386 (Enterprise), CVE-2025-20387 (Forwarder) |
| CVSS Score | 8.0 (High) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
| CWE | CWE-732 (Incorrect Permission Assignment) |
Executable binaries and other critical components should remain restricted to administrators.
An attacker with local access could exploit these permissions to modify system configuration, inject malicious code, or escalate their privileges to the administrator level.
Splunk rates both vulnerabilities as CVSS 8.0 (High severity), reflecting the significant risk to affected environments.
The attack vector is network-adjacent, requiring authenticated access and user interaction. But the impact extends across confidentiality, integrity, and availability of affected systems.
Immediate remediation requires upgrading to the patched versions: Splunk Enterprise 10.0.2, 9.4.6, 9.3.8, or 9.2.10, and Universal Forwarder 10.0.2, 9.4.6, 9.3.8, or 9.2.10.
For organizations unable to upgrade immediately, Splunk provides mitigation steps using icacls commands to reconfigure directory permissions. Removing inappropriate access rights and reapplying proper inheritance controls.
Organizations should prioritize patching, given Splunk Enterprise’s prominence in security operations across Fortune 500 companies and government agencies.
The vulnerability affects all supported Windows versions and represents a significant supply chain risk if exploited in defended environments.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
