New Splunk Windows Flaw Enables Privilege Escalation Attacks

A newly disclosed high-severity flaw in Splunk for Windows allows local users to escalate privileges due to incorrect file permissions applied during installation and upgrades. 

The issue impacts both Splunk Enterprise and Universal Forwarder, creating a pathway for attackers to overwrite sensitive files and gain elevated system access. 

The Splunk Enterprise vulnerability “… lets non-administrator users on the machine access the directory and all its contents,“ said Splunk in its advisory.

Inside the Splunk Permission Flaws

The vulnerabilities CVE-2025-20386 (affecting Splunk Enterprise) and CVE-2025-20387 (affecting Splunk Universal Forwarder) originate from improper permission configurations applied by Splunk’s Windows installer. 

During both new installations and version upgrades, the installer may assign overly broad NTFS access rights to Splunk’s default installation directories granting non-administrator users read/write permissions to files that should be protected.

These directories contain high-impact components, including:

• Executable binaries that Splunk services load at startup
• Configuration files controlling indexing, forwarding, and authentication behavior
• PowerShell, Python, and batch scripts invoked by Splunk’s service processes
• Modular inputs and technology add-ons capable of running code with elevated privileges

With write access to these assets, an authenticated but low-privileged user may:

• Replace Splunk binaries (e.g., splunkd.exe) with malicious trojans or backdoored executables
• Modify critical configuration files, enabling execution of attacker-controlled code or altering service behavior
• Inject rogue startup scripts that run automatically under the privileged Splunk service account
• Hijack DLLs or supporting executables in the installation directory to achieve system-level persistence
• Escalate privileges from a standard user to NT AUTHORITY\SYSTEM by abusing Splunk’s elevated service permissions

Because Splunk services typically run with LocalSystem-level rights, any malicious file the service loads results in immediate privilege escalation and full compromise of the underlying host.

Splunk rated the flaws CVSS 8.0 due to the potential for complete loss of confidentiality, integrity, and availability. 

Although exploitation requires an authenticated user, many enterprise environments grant broad internal access — meaning the barrier to exploitation may be significantly lower in real-world deployments.

Critical Steps to Harden Splunk Deployments

Because attackers can exploit misconfigured permissions to replace binaries, inject malicious scripts, or escalate privileges to SYSTEM, securing Splunk directories and services is essential. 

• Patch Splunk Enterprise and Universal Forwarder to the latest fixed versions as soon as possible.
• Restrict NTFS permissions on Splunk directories so only administrators can modify binaries, configs, and scripts.
• Implement application allow-listing to block unauthorized executables from running inside Splunk directories.
• Run Splunk services with least-privilege accounts and limit interactive logons on Splunk servers.
• Monitor Splunk paths with EDR and file-integrity tools to detect unauthorized changes or suspicious child processes.
• Validate configuration integrity across all Splunk deployments, including directory permissions, apps, and forwarder settings.
• Segment Splunk infrastructure and monitor for lateral movement or privilege-escalation attempts originating from Splunk systems.

By implementing these controls, organizations can reduce the risk of privilege escalation within Splunk’s Windows components and effectively limit the blast radius of any attempted compromise.

The Growing Threat to Core Security Infrastructure

As threat actors increasingly target logging pipelines, SIEM tools, and telemetry infrastructure to blind defenders and gain persistence, securing these foundational systems has become critical. 

Even subtle gaps in privilege boundaries can provide adversaries with the foothold they need to escalate access, evade detection, and move laterally through the network.

Vulnerabilities like these highlight why modern security strategies should embrace zero-trust from the ground up.