CVE-2025-20325— Sensitive Information Disclosure in the SHCConfig logging channel in Clustered Deployments in Splunk Enterprise
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-20325
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Sensitive Information Disclosure in the SHCConfig logging channel in Clustered Deployments in Splunk Enterprise
Source: NVD (National Vulnerability Database)
Vulnerability Description
In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.103, 9.3.2408.113, and 9.2.2406.119, the software potentially exposes the search head cluster [splunk.secret](https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/9.4/install-splunk-enterprise-securely/deploy-secure-passwords-across-multiple-servers) key. This exposure could happen if you have a Search Head cluster and you configure the Splunk Enterprise `SHCConfig` log channel at the DEBUG logging level in the clustered deployment. <br><br>The vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. <br><br>See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities), [Deploy a search head cluster](https://help.splunk.com/en/splunk-enterprise/administer/distributed-search/9.4/deploy-search-head-clustering/deploy-a-search-head-cluster), [Deploy secure passwords across multiple servers](https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/9.4/install-splunk-enterprise-securely/deploy-secure-passwords-across-multiple-servers) and [Set a security key for the search head cluster](https://help.splunk.com/splunk-enterprise/administer/distributed-search/9.4/configure-search-head-clustering/set-a-security-key-for-the-search-head-cluster#id_2c54937a_736c_47b5_9485_67e9e390acfa__Set_a_security_key_for_the_search_head_cluster) for more information.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
信息暴露
Source: NVD (National Vulnerability Database)
Vulnerability Title
Splunk Cloud Platform和Splunk Enterprise 信息泄露漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Splunk Cloud Platform和Splunk Enterprise都是美国Splunk公司的产品。Splunk Cloud Platform是一个强大的数据收集、处理和分析服务。Splunk Enterprise是一套数据收集分析软件。 Splunk Enterprise 9.4.3、9.3.5、9.2.7和9.1.10之前版本和Splunk Cloud Platform 9.3.2411.103、9.3.2408.113和9.2.2406.119之前版本存在信息泄露漏洞,该漏洞源于可能暴露搜
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Splunk | Splunk Enterprise | 9.4 ~ 9.4.3 | - | |
| Splunk | Splunk Cloud Platform | 9.3.2411 ~ 9.3.2411.103 | - |
II. Public POCs for CVE-2025-20325
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-20325
请登录查看更多情报信息。
Same Patch Batch · Splunk · 2025-07-07 · 8 CVEs total
| CVE-2025-20319 | 6.8 MEDIUM | Remote Command Execution through Scripted Input Files in Splunk Enterprise |
| CVE-2025-20321 | 6.5 MEDIUM | Membership State Change in Splunk Search Head Cluster through a Cross-Site Request Forgery |
| CVE-2025-20320 | 6.3 MEDIUM | Denial of Service (DoS) through “User Interface - Views“ configuration page in Splunk Ente |
| CVE-2025-20324 | 5.4 MEDIUM | Improper Access Control in System Source Types Configuration in Splunk Enterprise |
| CVE-2025-20322 | 4.3 MEDIUM | Denial of Service (DoS) in Search Head Cluster through Cross-Site Request Forgery (CSRF) i |
| CVE-2025-20323 | 4.3 MEDIUM | Missing Access Control of Saved Searches in the Splunk Archiver app |
| CVE-2025-20300 | 4.3 MEDIUM | Improper Access Control Lets Low-Privilege Users Suppress Read-Only Alerts in Splunk Enter |
IV. Related Vulnerabilities
Same product: Splunk Enterprise
- CVE-2026-20203
Improper Access Control in Data Model Acceleration in Splunk - CVE-2026-20204
Improper Handling and Insufficient Isolation of Specific Tem - CVE-2026-20202
Improper Input Validation during User Account Creation in Sp - CVE-2026-20163
Remote Command Execution (RCE) through the '/splunkd/__uploa - CVE-2026-20162
Stored Cross-Site Scripting (XSS) through Path Traversal in
Same vendor: Splunk
- CVE-2026-20205
Sensitive Information Disclosure in ''_internal'' index in S - CVE-2026-20203
Improper Access Control in Data Model Acceleration in Splunk - CVE-2026-20204
Improper Handling and Insufficient Isolation of Specific Tem - CVE-2026-20202
Improper Input Validation during User Account Creation in Sp - CVE-2026-20163
Remote Command Execution (RCE) through the '/splunkd/__uploa
Same weakness: CWE-200
- CVE-2026-42333
quarkus-openapi-generator has overly broad path-parameter ma - CVE-2026-8198
Activity Logs, User Activity Tracking, Multisite Activity Lo - CVE-2026-42456
AnythingLLM: Cross-User TTS Audio Disclosure via Chat ID (ID - CVE-2026-41520
Cillium exposes sensitive information included in the cilium - CVE-2026-25199
Apache CloudStack: Proxmox Extension Allows Unauthorized Cro
V. Comments for CVE-2025-20325
No comments yet