Splunk Common Forwarder for Home windows Flaw Grants Non-Admin Customers Full Content material Entry

A vital safety advisory (SVD-2025-0602) has been issued for Splunk Common Forwarder for Home windows, addressing a high-severity vulnerability (CVE-2025-20298) that exposes Home windows methods to potential privilege escalation.

The flaw, rated 8.0 (Excessive) on the CVSSv3.1 scale (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H), impacts Common Forwarder installations and upgrades beneath variations 9.4.2, 9.3.4, 9.2.6, and 9.1.9.

The vulnerability arises from incorrect permission assignments within the Common Forwarder set up listing—by default, C:Program FilesSplunkUniversalForwarder.

Non-administrator customers on the affected machine can entry and doubtlessly modify all listing contents, which could possibly be exploited for native privilege escalation or to compromise delicate log knowledge.

Permission Project and Exploitation Vector

This situation is classed underneath CWE-732: Incorrect Permission Project for Important Useful resource.

Throughout set up or improve, the Common Forwarder units overly permissive permissions, permitting customers exterior the Directors group to entry, modify, or exchange information throughout the listing.

This misconfiguration can result in a number of dangers, together with:

• Unauthorized modification of executable information or configurations
• Alternative of service binaries, doubtlessly resulting in arbitrary code execution with elevated privileges
• Publicity or tampering of delicate log knowledge

The issue is strictly native; distant exploitation will not be potential with out legitimate credentials and entry to the affected machine.

No malware exploiting this vulnerability has been noticed within the wild as of the most recent replace.

Technical Instance: Permission Audit

Directors can audit the listing permissions utilizing the next command:

powershellicacls "C:Program FilesSplunkUniversalForwarder"

If permissions comparable to (F) (Full Management) or (M) (Modify) are granted to non-administrator teams (e.g., BUILTINUsers or EverybodyThe system is weak.

The next desk summarizes affected and stuck variations:

Resolution:
Improve Common Forwarder for Home windows to the respective mounted model or greater as indicated above.

Mitigation (if rapid improve will not be potential):
Directors ought to manually take away extreme permissions from the set up listing.

Run the next command as a system administrator:

textual contenticacls.exe "" /take away:g *BU /C

This command removes group permissions for BUILTINUsers (*BU), proscribing entry to licensed directors solely.

Apply this mitigation within the following eventualities:

• Instantly after a brand new set up of an affected model
• After upgrading to an affected model
• After uninstalling and reinstalling an affected model

Safety Greatest Practices and Subsequent Steps

Splunk recommends at all times operating the most recent Common Forwarder model and commonly auditing listing permissions after set up or improve.

Directors ought to make sure that solely trusted accounts (e.g., SYSTEM Directors) have Full Management over the set up listing, and promptly apply vendor updates as they turn out to be out there.

Organizations unable to improve instantly ought to implement the offered mitigation to scale back publicity, monitor methods for unauthorized modifications, and overview consumer privileges commonly.

References:

• Advisory ID: SVD-2025-0602
• CVE ID: CVE-2025-20298
• CWE: CWE-732
• Bug ID: VULN-27637

For extra particulars and ongoing updates, seek the advice of the official Splunk safety advisory portal.

Discover this Information Attention-grabbing! Comply with us on Google Information, LinkedIn, & X to Get Instantaneous Updates!