CVE-2025-20383 is a vulnerability identified in Splunk Enterprise versions prior to 10.0.2, 9.4.6, 9.3.8, and 9.2.10, as well as in versions below 3.9.10, 3.8.58, and 3.7.28 of the Splunk Secure Gateway app used in the Splunk Cloud Platform. The flaw arises from the way mobile push notifications are handled for users with low privileges who subscribe to these notifications. Specifically, users without the "admin" or "power" roles can receive push notifications that disclose the title and description of reports or alerts they are not authorized to access. This occurs because the notification mechanism does not properly enforce access controls before sending sensitive metadata. The vulnerability does not allow modification or deletion of data, nor does it affect system availability, but it leaks potentially sensitive information that could aid an attacker in reconnaissance or social engineering. Exploitation requires the user to be subscribed to mobile push notifications, which implies some level of user interaction or configuration. The CVSS v3.1 score of 4.3 reflects a low attack complexity and network vector but limited confidentiality impact and no integrity or availability impact. No public exploits have been reported, and the vulnerability was published on December 3, 2025. The issue is relevant for organizations relying on Splunk Enterprise and its cloud platform components for security monitoring and operational intelligence.

For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive operational or security-related information contained in report titles and descriptions. Although the information leakage is limited to metadata and does not include the full report content or data, it could still provide attackers or malicious insiders with valuable insights into monitoring activities, alerting rules, or security posture. This could facilitate targeted attacks, social engineering, or insider threats. Organizations in regulated sectors such as finance, healthcare, and critical infrastructure might face compliance risks if sensitive information is inadvertently exposed. The impact is mitigated by the requirement that the attacker must have a low-privileged account and be subscribed to mobile push notifications, limiting the scope to internal or semi-trusted users. However, given the widespread use of Splunk in European enterprises for security information and event management (SIEM), the risk of information leakage should not be underestimated. The absence of integrity or availability impact reduces the risk of operational disruption but does not eliminate the confidentiality concerns.

To mitigate this vulnerability, European organizations should promptly upgrade affected Splunk Enterprise instances to versions 10.0.2, 9.4.6, 9.3.8, or 9.2.10 or later, and update the Splunk Secure Gateway app to versions 3.9.10, 3.8.58, or 3.7.28 or later. Until patches are applied, organizations should audit and restrict mobile push notification subscriptions, especially for users without admin or power roles, to prevent unauthorized exposure. Implement strict role-based access controls (RBAC) to limit which users can subscribe to notifications and review notification content policies to minimize sensitive information included in alerts. Monitoring and alerting on unusual subscription patterns or notification delivery to low-privileged users can help detect potential exploitation attempts. Additionally, organizations should educate users about the risks of subscribing to mobile push notifications and enforce multi-factor authentication (MFA) to reduce the risk of account compromise. Regularly reviewing Splunk configurations and applying security best practices for SIEM deployments will further reduce exposure.