Medium

Sensitive search result disclosure via guessed Search ID in Splunk background jobs

IdentifiersCVE-2025-20366CWE-639

CVE-2025-20366 is an access control / information disclosure vulnerability in Splunk Enterprise and Splunk Cloud Platform. In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.111, 9.3.2408.119, and 9.2.2406.122, a low-privileged user who does not have the admin or power roles can access the results of an administrative search job that is running in the background. Exploitation requires the attacker to guess the unique Search ID (SID) associated with that job; if the SID is correctly guessed, the attacker can retrieve the job results despite lacking the intended privileges. The issue is therefore an authorization weakness tied to direct access to a job resource identified by SID, resulting in exposure of sensitive search results.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a low-privileged authenticated user to read search results generated by administrative background jobs. Depending on the content of those jobs, this can expose sensitive operational, security, or business data indexed or queried by Splunk, and may reveal information that should be restricted to higher-privileged roles. The primary impact is confidentiality loss rather than code execution or privilege escalation.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by limiting the ability of low-privileged users to access search job artifacts and by restricting assignment of high-privilege roles. Minimize use of background administrative searches where feasible until patched, and monitor for anomalous access to search jobs or repeated attempts to retrieve job results by SID. Splunk also recommended disabling Splunk Web when it is not required as a temporary general mitigation, although that is not specific to this flaw.

Remediation

Patch, then assume compromise.

Upgrade Splunk Enterprise to a fixed release: 9.4.4, 9.3.6, 9.2.8, or later. For Splunk Cloud Platform, fixed builds are 9.3.2411.111, 9.3.2408.119, 9.2.2406.122, or later; Splunk indicated that cloud patches are applied automatically / instances are actively being patched. Validate that all affected deployments are running a non-vulnerable version and review access to historical or active search jobs after patching.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

SplunkSplunkapplication

SplunkSplunk Cloud Platformapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

scworldNews

Oct 6, 2025

Splunk warns of six severe security bugs

An access control vulnerability in Splunk background jobs that could expose sensitive search results.

cybersecuritynewsNews

Oct 2, 2025

Multiple Splunk Enterprise Vulnerabilities Let Attackers Execute Unauthorized JavaScript code

A medium-severity information disclosure vulnerability in Splunk Enterprise and Cloud Platform allowing low-privileged users to access sensitive search results if they can guess the Search ID.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-20366

NVD

nvd.nist.gov/vuln/detail/CVE-2025-20366

MITRE CWE · CWE-639

cwe.mitre.org

Vendor Advisory

advisory.splunk.com/advisories/SVD-2025-1001