How ZeroPath Works
Back to Blog

Splunk Enterprise CVE-2025-20371: Brief Summary of Unauthenticated Blind SSRF Vulnerability

This post provides a brief summary of CVE-2025-20371, an unauthenticated blind server side request forgery vulnerability affecting specific versions of Splunk Enterprise and Splunk Cloud Platform. The summary covers affected versions, technical details, and vendor security history based on available public sources.
CVE Analysis

7 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-10-01

Splunk Enterprise CVE-2025-20371: Brief Summary of Unauthenticated Blind SSRF Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Attackers can leverage unauthenticated blind server side request forgery in Splunk Enterprise to make internal REST API calls as high privileged users. This exposure in widely deployed SIEM and analytics platforms can allow access to sensitive internal resources and disrupt security monitoring operations.

Splunk is a dominant force in the SIEM and operational intelligence market, with thousands of enterprise and government customers worldwide. Its products are critical for log management, security analytics, and compliance monitoring across diverse industries.

Technical Information

CVE-2025-20371 is a blind server side request forgery vulnerability affecting specific versions of Splunk Enterprise and Splunk Cloud Platform. The vulnerability allows an unauthenticated attacker to trigger HTTP requests from the Splunk server to arbitrary destinations. The flaw is rooted in how Splunk processes certain REST API calls, failing to properly validate or restrict user supplied URLs or parameters. As a result, attackers can craft requests that the server executes with the privileges of an authenticated high privileged user.

This is a blind SSRF, meaning the attacker does not directly observe the response to the forged request. However, the attacker can still interact with internal services, potentially accessing sensitive endpoints or leveraging the server's network position for further attacks. The vulnerability is classified under CWE-918 (Server Side Request Forgery).

No public code snippets or proof of concept details are available at this time.

Affected Systems and Versions

  • Splunk Enterprise versions below 10.0.1
  • Splunk Enterprise versions below 9.4.4
  • Splunk Enterprise versions below 9.3.6
  • Splunk Enterprise versions below 9.2.8
  • Splunk Cloud Platform versions below 9.3.2411.109
  • Splunk Cloud Platform versions below 9.3.2408.119
  • Splunk Cloud Platform versions below 9.2.2406.122

Any deployment running these versions or earlier is vulnerable. Both default and custom configurations are affected unless patched.

Vendor Security History

Splunk has previously addressed similar SSRF vulnerabilities, most notably CVE-2023-22936, which affected authenticated users and required specific search parameters. The vendor maintains a formal vulnerability disclosure program and typically releases coordinated advisories with detailed remediation steps. Splunk's patch response time aligns with industry standards, and the company regularly updates third party components to address supply chain risks.

References

Detect & fix
what others miss

Get startedBook a demo