CVE-2025-20387 is a vulnerability affecting Splunk Universal Forwarder for Windows versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10. The issue stems from the product assigning overly permissive access rights to the Universal Forwarder installation directory during installation or upgrade processes. Specifically, non-administrator users on the affected Windows machine can gain read and write access to the directory and all its contents. This misconfiguration allows unintended actors with limited local privileges to access sensitive configuration files, potentially modify them, or tamper with log data collected by the forwarder. The vulnerability impacts confidentiality, integrity, and availability of the Splunk Universal Forwarder deployment. Exploitation requires local access with at least limited privileges and some user interaction, such as triggering an upgrade or installation. The CVSS 3.1 base score is 8.0, reflecting high severity due to network attack vector, low attack complexity, and high impact on confidentiality, integrity, and availability. No known exploits have been reported in the wild yet, but the vulnerability poses a significant risk especially in environments where multiple users share access to the same Windows host. Splunk Universal Forwarder is widely used for log aggregation and monitoring in enterprise environments, making this vulnerability particularly concerning for organizations relying on accurate and secure log data for security monitoring and compliance. The vulnerability was publicly disclosed on December 3, 2025, with no official patches linked in the provided data, but fixed versions are indicated by the version numbers above. Organizations should verify their Splunk Universal Forwarder versions and upgrade to the fixed releases to remediate the issue.

For European organizations, this vulnerability could lead to unauthorized local users accessing or modifying critical log forwarding configurations and data, undermining the integrity and confidentiality of security monitoring. This can result in undetected malicious activity, data exfiltration, or disruption of log collection, which is essential for incident response and compliance with regulations such as GDPR. The ability for non-administrators to alter Splunk Universal Forwarder files could facilitate privilege escalation or lateral movement within networks. Critical sectors such as finance, healthcare, energy, and government entities that rely heavily on Splunk for security monitoring are at heightened risk. The disruption or manipulation of log data could also impact forensic investigations and regulatory reporting. Given the networked nature of many European enterprises, a compromised host could serve as a pivot point for broader attacks. The vulnerability’s exploitation does not require administrative privileges but does require local access, so insider threats or compromised user accounts pose a significant risk vector.

1. Immediately upgrade Splunk Universal Forwarder for Windows to versions 10.0.2, 9.4.6, 9.3.8, or 9.2.10 or later, which contain fixes for this vulnerability. 2. Audit and restrict local user permissions on Windows hosts running Splunk Universal Forwarder to ensure only trusted administrators have access to the installation directories. 3. Implement strict access controls and user account management policies to minimize the number of local users with access to affected systems. 4. Monitor file integrity of the Splunk Universal Forwarder installation directory using endpoint detection and response (EDR) tools or file integrity monitoring solutions to detect unauthorized changes. 5. Employ application whitelisting and privilege management to prevent unauthorized modifications to Splunk files. 6. Conduct regular security awareness training to reduce the risk of insider threats and educate users about the risks of local privilege abuse. 7. Review and harden Windows host security configurations, including local group policies and NTFS permissions, to prevent unauthorized access. 8. Consider network segmentation to limit access to critical Splunk servers and forwarders from untrusted users or devices. 9. Maintain up-to-date backups of Splunk configurations and data to enable recovery in case of tampering or disruption.