CVE-2025-20384 is a vulnerability identified in Splunk Enterprise versions prior to 10.0.1, 9.4.6, 9.3.8, and 9.2.10, as well as corresponding versions of Splunk Cloud Platform. The root cause is the failure to properly neutralize or sanitize output written to log files, specifically allowing injection of ANSI escape codes through the /en-US/static/ web endpoint. ANSI escape codes can manipulate terminal output, enabling attackers to alter how log entries are displayed or interpreted. An unauthenticated attacker can craft HTTP requests containing these escape codes, which get logged by Splunk without adequate sanitization. This results in log poisoning, where log entries can be forged or obfuscated, potentially misleading security analysts or automated detection systems. The vulnerability does not impact confidentiality or availability directly but compromises the integrity of log data, a critical component for security monitoring and incident response. The CVSS 3.1 base score is 5.3, reflecting network attack vector, low complexity, no privileges required, no user interaction, and impact limited to integrity. No public exploits have been reported yet, but the vulnerability poses a risk to organizations relying on Splunk for trustworthy log data. The issue was reserved in October 2024 and published in December 2025, with no patch links provided in the data but fixed versions indicated.

For European organizations, this vulnerability threatens the integrity of security logs, which are essential for detecting malicious activity, conducting forensic investigations, and maintaining compliance with regulations such as GDPR and NIS Directive. Log poisoning can cause false negatives or false positives in security monitoring, delaying or preventing detection of real attacks. Critical sectors like finance, energy, telecommunications, and government that rely heavily on Splunk for centralized log management and security analytics are particularly vulnerable. The inability to trust log data can undermine incident response and risk management processes, potentially leading to prolonged breaches or regulatory penalties. Since exploitation requires no authentication and can be performed remotely, the attack surface is broad, increasing the likelihood of opportunistic attacks. However, the lack of known exploits and the medium severity rating suggest the threat is moderate but should not be underestimated in high-risk environments.

Organizations should prioritize upgrading Splunk Enterprise and Splunk Cloud Platform to versions 10.0.1 or later, 9.4.6 or later, 9.3.8 or later, and 9.2.10 or later as applicable. Until upgrades are applied, implement strict web application firewall (WAF) rules to detect and block HTTP requests containing suspicious ANSI escape sequences targeting the /en-US/static/ endpoint. Enhance log monitoring to identify anomalies indicative of log poisoning, such as unexpected control characters or formatting irregularities. Review and harden input validation and output encoding mechanisms in custom Splunk apps or integrations that interact with user-supplied data. Conduct regular audits of log integrity using cryptographic methods or third-party tools to detect tampering. Train security analysts to recognize signs of log manipulation and incorporate this threat into incident response playbooks. Coordinate with Splunk support and monitor vendor advisories for patches and updates. Consider network segmentation and limiting exposure of Splunk management interfaces to reduce attack surface.