Splunk Palo Alto Networks Add-on Credential Exposure Vulnerability (CVE-2025-20373)

Advisory ID: SVD-2025-1105 CVE ID: CVE-2025-20373 Published: 2025-11-26 Last Update: 2025-11-26 CVSSv3.1 Score: 2.7, Low CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N CWE: CWE-532 Bug ID: VULN-43964 Description In Splunk Add-on for Palo Alto Networks versions below 2.0.2, the add-on exposes client secrets in plain text in the "_internal" index during the addition of new "Data Security Accounts". Exploitation of this vulnerability would require either local access to the log files or administrative access to internal indexes, which by default is granted only to the admin role. Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. For more information, see Define roles on the Splunk platform with capabilities in the Splunk documentation. Solution Upgrade Splunk Add-On for Palo Alto Networks to version 2.0.2, 3.0.0, or higher, and verify whether any credentials are exposed in plain text: 1. In Search and Reporting, search for 2. Immediately generate new and as needed, and revoke any that have been exposed due to this vulnerability. Product Status Mitigations and Workarounds None Detections None Severity Splunk rates this vulnerability as 2.7, Low, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N. If you do not use Splunk Add-On for Palo Alto Networks, there should be no impact, and the severity would be Informational. Acknowledgments Vignesh Subramanian, Splunk

Goal Reached Thanks to every supporter — we hit 100%!

Splunk Palo Alto Networks Add-on Credential Exposure Vulnerability (CVE-2025-20373)