CVE-2025-20384 affects Splunk Enterprise versions below 10.0.1, 9.4.6, 9.3.8, and 9.2.10, as well as Splunk Cloud Platform versions below 10.1.2507.4, 10.0.2503.6, and 9.3.2411.117.125. The vulnerability arises from improper neutralization of output written to log files, specifically the failure to sanitize ANSI escape codes injected via HTTP requests to the /en-US/static/ web endpoint. An unauthenticated attacker can exploit this by crafting malicious HTTP requests containing ANSI escape sequences that, when logged, can manipulate how log entries are displayed or interpreted. This log injection can lead to log poisoning, where false or misleading entries are inserted, or obfuscation, where legitimate entries are hidden or altered visually. The attack does not grant direct access to sensitive data or system control but undermines the integrity and reliability of logs, which are critical for security monitoring, incident response, and compliance auditing. The CVSS v3.1 score of 5.3 reflects a medium severity, with a vector indicating network attack vector, low attack complexity, no privileges or user interaction required, and impact limited to integrity. No known exploits have been reported in the wild as of the publication date. The vulnerability was reserved in October 2024 and published in December 2025. Mitigation primarily involves upgrading to patched versions of Splunk Enterprise and Cloud Platform. Additional defensive measures include monitoring logs for suspicious escape sequences and implementing input validation or filtering at the web application layer to prevent injection of control characters.

For European organizations, the primary impact is on the integrity and reliability of log data collected by Splunk, a widely used security information and event management (SIEM) platform. Compromised logs can hinder the detection of malicious activities, delay incident response, and complicate forensic investigations, potentially allowing attackers to evade detection. This is particularly critical for sectors with stringent regulatory requirements such as finance, healthcare, energy, and government agencies, where accurate logging is essential for compliance with GDPR, NIS Directive, and other frameworks. While confidentiality and availability are not directly affected, the loss of trust in log data can indirectly increase risk exposure. Organizations relying heavily on Splunk for security monitoring may face increased operational risk and potential regulatory scrutiny if log integrity issues are not addressed promptly. The lack of authentication requirement for exploitation increases the threat surface, especially for internet-facing Splunk deployments or environments where the vulnerable endpoint is exposed.

1. Upgrade affected Splunk Enterprise and Splunk Cloud Platform instances to the fixed versions: 10.0.1 or later for Enterprise, and 10.1.2507.4 or later for Cloud Platform. 2. Implement web application firewall (WAF) rules to detect and block HTTP requests containing ANSI escape sequences or suspicious control characters targeting the /en-US/static/ endpoint. 3. Enhance input validation and sanitization at the web server or proxy level to reject or neutralize malicious payloads before they reach Splunk. 4. Monitor Splunk logs for unusual patterns, such as unexpected escape sequences or log entries that appear visually manipulated, and establish alerts for potential log poisoning attempts. 5. Restrict network exposure of Splunk management and web interfaces to trusted internal networks or VPNs to reduce attack surface. 6. Conduct regular audits of log integrity and implement cryptographic log signing where feasible to detect tampering. 7. Educate security teams about this vulnerability and incorporate checks for log integrity anomalies into incident response playbooks.