Introduction
Attackers can leverage unauthenticated blind server side request forgery in Splunk Enterprise to make internal REST API calls as high privileged users. This exposure in widely deployed SIEM and analytics platforms can allow access to sensitive internal resources and disrupt security monitoring operations.
Splunk is a dominant force in the SIEM and operational intelligence market, with thousands of enterprise and government customers worldwide. Its products are critical for log management, security analytics, and compliance monitoring across diverse industries.
Technical Information
CVE-2025-20371 is a blind server side request forgery vulnerability affecting specific versions of Splunk Enterprise and Splunk Cloud Platform. The vulnerability allows an unauthenticated attacker to trigger HTTP requests from the Splunk server to arbitrary destinations. The flaw is rooted in how Splunk processes certain REST API calls, failing to properly validate or restrict user supplied URLs or parameters. As a result, attackers can craft requests that the server executes with the privileges of an authenticated high privileged user.
This is a blind SSRF, meaning the attacker does not directly observe the response to the forged request. However, the attacker can still interact with internal services, potentially accessing sensitive endpoints or leveraging the server's network position for further attacks. The vulnerability is classified under CWE-918 (Server Side Request Forgery).
No public code snippets or proof of concept details are available at this time.
Affected Systems and Versions
- Splunk Enterprise versions below 10.0.1
- Splunk Enterprise versions below 9.4.4
- Splunk Enterprise versions below 9.3.6
- Splunk Enterprise versions below 9.2.8
- Splunk Cloud Platform versions below 9.3.2411.109
- Splunk Cloud Platform versions below 9.3.2408.119
- Splunk Cloud Platform versions below 9.2.2406.122
Any deployment running these versions or earlier is vulnerable. Both default and custom configurations are affected unless patched.
Vendor Security History
Splunk has previously addressed similar SSRF vulnerabilities, most notably CVE-2023-22936, which affected authenticated users and required specific search parameters. The vendor maintains a formal vulnerability disclosure program and typically releases coordinated advisories with detailed remediation steps. Splunk's patch response time aligns with industry standards, and the company regularly updates third party components to address supply chain risks.