CVE-2025-20368 is a cross-site scripting (XSS) vulnerability affecting Splunk Enterprise versions prior to 9.4.4, 9.3.6, and 9.2.8, as well as corresponding versions of Splunk Cloud Platform. The vulnerability arises because the software fails to properly neutralize or sanitize user-controllable input before embedding it into web pages served to other users. Specifically, a low-privileged user without admin or power roles can craft malicious payloads through error messages and job inspection details associated with saved searches. When these crafted payloads are viewed by other users in their browsers, unauthorized JavaScript code can execute. This type of vulnerability is classified as a reflected or stored XSS, depending on how the payload is delivered and stored. The CVSS 3.1 base score is 5.7 (medium severity), reflecting that the attack vector is network-based, requires low privileges, and user interaction is necessary (the victim must view the malicious content). The impact is primarily on confidentiality, as the injected script could steal session tokens or other sensitive information accessible in the browser context. Integrity and availability are not directly impacted. Exploitation does not require administrative privileges but does require a user to interact with the malicious content. No known exploits are currently reported in the wild. The vulnerability affects multiple recent versions of Splunk Enterprise and Cloud Platform, which are widely used for log management, security information and event management (SIEM), and operational intelligence. Given the nature of Splunk as a critical security and operational tool, exploitation could allow attackers to escalate access or exfiltrate sensitive data via browser-based attacks.

For European organizations, this vulnerability poses a significant risk especially in sectors heavily reliant on Splunk for security monitoring, compliance, and operational analytics, such as finance, telecommunications, healthcare, and government. Successful exploitation could lead to unauthorized disclosure of sensitive information, including session cookies or tokens, enabling attackers to impersonate legitimate users or gain further access within the environment. This could undermine trust in security monitoring systems and potentially facilitate lateral movement or data exfiltration. Since Splunk dashboards and saved searches are often accessed by multiple users, the risk of cross-user impact is elevated. Additionally, regulatory frameworks such as GDPR impose strict requirements on protecting personal data, and exploitation leading to data leakage could result in legal and financial penalties. The medium severity score suggests moderate urgency, but organizations should prioritize patching due to the critical role of Splunk in security operations and the potential for chained attacks.

1. Immediate patching: Upgrade Splunk Enterprise and Splunk Cloud Platform to versions 9.4.4, 9.3.6, 9.2.8 or later where the vulnerability is fixed. 2. Role-based access control review: Restrict the ability to create or modify saved searches and view job inspection details to trusted users only, minimizing the risk of malicious payload creation. 3. Input validation and output encoding: Implement additional web application firewall (WAF) rules to detect and block suspicious scripts or payloads in Splunk web traffic. 4. User awareness: Educate users to be cautious when accessing saved searches or error messages from untrusted sources. 5. Monitoring and logging: Enable detailed logging of saved search creation and modification activities to detect anomalous behavior. 6. Network segmentation: Limit access to Splunk web interfaces to trusted networks and VPN users to reduce exposure. 7. Incident response readiness: Prepare to investigate and respond to potential XSS exploitation attempts, including session hijacking or unauthorized access.