CVE-2025-20379 affects Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, and 9.2.9, as well as Splunk Cloud Platform versions below 9.3.2411.116, 9.3.2408.124, 10.0.2503.5, and 10.1.2507.1. The vulnerability arises because a low-privileged user lacking 'admin' or 'power' roles can run a saved search containing risky commands with the permissions of a higher-privileged user. This is achieved by exploiting the /services/streams/search REST endpoint's 'q' parameter, where character encoding is used to bypass endpoint restrictions designed to prevent execution of risky commands. The vulnerability requires the attacker to phish an authenticated user, tricking them into initiating a crafted request within their browser, as the attacker cannot exploit it directly without user interaction. The impact is limited to unauthorized information disclosure, as the attacker gains access to sensitive data without the ability to alter or disrupt system integrity or availability. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N) reflects that the attack is network-based, requires low privileges, user interaction, and results in limited confidentiality impact without affecting integrity or availability. No known exploits have been observed in the wild, but the vulnerability poses a risk especially in environments where users have elevated privileges and phishing attacks are plausible. The vulnerability highlights the importance of strict role-based access controls and input validation on REST endpoints handling sensitive commands.

For European organizations, the primary impact is unauthorized disclosure of sensitive information within Splunk environments, which may include logs, monitoring data, or other operational intelligence. This could lead to exposure of confidential business information, compliance violations (e.g., GDPR), and potential reputational damage. Since Splunk is widely used in sectors such as finance, telecommunications, and critical infrastructure monitoring across Europe, unauthorized access to sensitive data could aid attackers in reconnaissance or lateral movement. The requirement for phishing and user interaction reduces the likelihood of widespread automated exploitation but increases risk in organizations with less mature security awareness or phishing defenses. The vulnerability does not allow data modification or service disruption, limiting direct operational impact but still posing a significant confidentiality risk. Organizations handling regulated or sensitive data must consider this vulnerability a threat to data privacy and compliance obligations.

European organizations should immediately upgrade affected Splunk Enterprise and Cloud Platform instances to the patched versions specified by Splunk (10.0.1, 9.4.5, 9.3.7, 9.2.9 for Enterprise and corresponding Cloud versions). In the interim, restrict access to the /services/streams/search endpoint to only trusted users and roles, and implement strict role-based access controls to ensure low-privileged users cannot execute saved searches with risky commands. Enhance phishing defenses through user training, email filtering, and multi-factor authentication to reduce the risk of attackers tricking users into initiating malicious requests. Monitor Splunk logs for unusual activity related to saved searches and REST API calls, especially those involving the 'q' parameter. Consider implementing web application firewalls or API gateways that can detect and block suspicious character encoding or anomalous REST requests. Regularly audit Splunk roles and permissions to minimize privilege creep and ensure that only necessary users have elevated roles. Finally, maintain an incident response plan that includes detection and containment strategies for potential exploitation attempts.