{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3asplunksplunk9.3.0enterprise/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*","cpe:2.3:a:splunk:splunk:9.3.0:*:*:*:enterprise:*:*:*"],"_cs_cves":[{"cvss":8,"id":"CVE-2024-45731"},{"cvss":8.8,"id":"CVE-2024-45733"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Splunk Enterprise for Windows (versions \u003c 9.3.0)","Splunk Enterprise for Windows (versions \u003c 9.2.3)","Splunk Enterprise for Windows (versions \u003c 9.1.6)"],"_cs_severities":["high"],"_cs_tags":["application-vulnerability","rce","file-write","privilege-escalation","splunk","windows"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis threat concerns two critical vulnerabilities, CVE-2024-45731 and CVE-2024-45733, identified in Splunk Enterprise for Windows. Specifically, versions prior to 9.3.0, 9.2.3, and 9.1.6 are affected. These flaws enable a low-privileged user, even without 'admin' or 'power' Splunk roles, to write arbitrary files to the Windows system root directory, typically \u003ccode\u003eC:\\Windows\\System32\u003c/code\u003e, especially when Splunk is installed on a drive separate from the system root. This arbitrary file write, combined with an insecure session storage configuration, creates a path for remote code execution. Attackers can leverage this to upload and execute malicious code, leading to full system compromise. Detection engineers should prioritize identifying attempts to access vulnerable Splunk API endpoints and monitoring for unusual application creation events by unprivileged users.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: An attacker gains or already possesses a low-privileged user account on a Splunk Enterprise for Windows instance, lacking 'admin' or 'power' capabilities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploit Initiation\u003c/strong\u003e: The attacker sends a specially crafted HTTP POST request to the vulnerable Splunk API endpoint, \u003ccode\u003e/search/apps/local/_new\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArbitrary File Write (CVE-2024-45731)\u003c/strong\u003e: The successful request exploits CVE-2024-45731, allowing the attacker to write a malicious file (e.g., a DLL, executable, or script) to the Windows system root directory (\u003ccode\u003eC:\\Windows\\System32\u003c/code\u003e). This is particularly effective when Splunk is installed on a non-system drive.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Upload via Insecure Session Storage (CVE-2024-45733)\u003c/strong\u003e: The attacker leverages CVE-2024-45733's insecure session storage configuration to facilitate the upload and persistent storage of the malicious code.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRemote Code Execution\u003c/strong\u003e: The malicious file previously written to \u003ccode\u003eC:\\Windows\\System32\u003c/code\u003e is subsequently executed, leading to remote code execution on the underlying Splunk server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSystem Compromise\u003c/strong\u003e: With RCE, the attacker gains elevated privileges and full control over the compromised Splunk server, enabling further actions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePost-Exploitation Activities\u003c/strong\u003e: The attacker can now perform actions such as data exfiltration from Splunk's internal data, deploy additional malware for persistence, establish lateral movement, or disrupt Splunk operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of these vulnerabilities leads to remote code execution on the affected Splunk Enterprise for Windows server. This grants the attacker full control over the compromised system, potentially with SYSTEM-level privileges if the Splunk service runs as such. Consequences include unauthorized access to sensitive data processed and stored by Splunk, complete compromise of the Splunk environment, and the ability to pivot to other systems within the network. This can result in significant data breaches, operational disruption, and the establishment of persistent backdoors, impacting the integrity and availability of critical security and operational data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch Immediately\u003c/strong\u003e: Apply patches for CVE-2024-45731 and CVE-2024-45733 by upgrading Splunk Enterprise for Windows to versions 9.3.0, 9.2.3, 9.1.6, or newer as per Splunk's advisories.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy Detection Rules\u003c/strong\u003e: Deploy the \u0026quot;Detect CVE-2024-45731/CVE-2024-45733 Exploitation Attempt - Splunk Vulnerable Endpoint Access\u0026quot; and \u0026quot;Detect CVE-2024-45731/CVE-2024-45733 Exploitation - Splunk Low-Privilege App Creation Error\u0026quot; Sigma rules to your SIEM.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor Splunk Internal Logs\u003c/strong\u003e: Ensure that \u003ccode\u003e_internal\u003c/code\u003e index logs, specifically \u003ccode\u003esplunkd_access\u003c/code\u003e and \u003ccode\u003esplunk_python\u003c/code\u003e sourcetypes, are being collected and monitored for suspicious activity.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInvestigate Detections\u003c/strong\u003e: Investigate any alerts generated by the provided Sigma rules for activities related to the \u003ccode\u003e*/search/apps/local/_new\u003c/code\u003e endpoint or privilege errors for low-privileged users.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T13:38:10Z","date_published":"2026-07-03T13:38:10Z","id":"https://feed.craftedsignal.io/briefs/2026-07-splunk-rce-arbitrary-file-write/","summary":"A critical vulnerability (CVE-2024-45731, CVE-2024-45733) in Splunk Enterprise for Windows versions below 9.3.0, 9.2.3, and 9.1.6 allows low-privileged users to perform arbitrary file writes to the Windows system root directory (C:\\Windows\\System32) when Splunk is installed on a separate drive, enabling remote code execution through insecure session storage configuration.","title":"Splunk RCE Through Arbitrary File Write to Windows System Root","url":"https://feed.craftedsignal.io/briefs/2026-07-splunk-rce-arbitrary-file-write/"}],"language":"en","title":"CraftedSignal Threat Feed - Cpe:2.3:a:splunk:splunk:9.3.0:*:*:*:enterprise:*:*:*","version":"https://jsonfeed.org/version/1.1"}