{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3asplunksplunk_cloud_platform/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*","cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":8.8,"id":"CVE-2022-43571"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Splunk Enterprise (\u003c 8.2.9)","Splunk Enterprise (\u003c 8.1.12)","Splunk Enterprise (\u003c 9.0.2)","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["splunk","vulnerability","rce","code-injection","application-vulnerability"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis brief details CVE-2022-43571, a critical code injection vulnerability affecting Splunk Enterprise versions prior to 8.2.9, 8.1.12, and 9.0.2, as well as Splunk Cloud. An authenticated user can leverage this flaw by injecting arbitrary code into the dashboard PDF generation component, enabling remote code execution (RCE) on the underlying Splunk server. This vulnerability, initially identified in late 2022, can lead to complete compromise of the Splunk environment, unauthorized access, and arbitrary command execution. While the original detection logic for this vulnerability has been deprecated due to the affected versions reaching End of Life (EOL) and the detection's imperfect capture of malicious activity, the vulnerability itself remains a significant risk for any unpatched or unsupported Splunk instances.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: An authenticated attacker gains access to the Splunk Web User Interface (UI), potentially via compromised or stolen credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInteraction\u003c/strong\u003e: The attacker navigates to a Splunk dashboard or a saved search configured to allow PDF exports.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Input\u003c/strong\u003e: The attacker crafts a specific HTTP request targeting the PDF generation endpoint (e.g., \u003ccode\u003e/en-US/splunkd/__raw/services/pdfgen/render\u003c/code\u003e) and injects malicious code into a vulnerable input parameter, such as the \u003ccode\u003efile=export\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Injection\u003c/strong\u003e: The Splunk server's dashboard PDF generation component processes the attacker's input without adequate sanitization, resulting in the injection of the malicious code into the server-side process.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRemote Execution\u003c/strong\u003e: The injected code is executed on the underlying server with the privileges of the Splunk process, successfully achieving remote code execution (RCE).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSystem Compromise\u003c/strong\u003e: With RCE, the attacker gains full control over the Splunk host, enabling them to execute arbitrary commands, exfiltrate sensitive data, or establish further persistence within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2022-43571 allows an attacker to achieve remote code execution on the Splunk instance, leading to a complete compromise of the Splunk environment. This could result in unauthorized access to sensitive data indexed by Splunk, arbitrary command execution on the host server, and the ability to pivot to other systems within the compromised network. While the affected Splunk versions (8.1.12, 8.2.9, and 9.0.2) have reached End of Life (EOL) between 2023 and 2024, organizations still running these unsupported versions remain at severe risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2022-43571 immediately by upgrading Splunk Enterprise instances beyond versions 8.2.9, 8.1.12, and 9.0.2.\u003c/li\u003e\n\u003cli\u003eEnsure Splunk Cloud deployments are updated to the latest secure versions.\u003c/li\u003e\n\u003cli\u003eMonitor Splunk's \u003ccode\u003e_internal\u003c/code\u003e index for suspicious activity, specifically related to \u003ccode\u003euri_path=*/data/ui/views/*\u003c/code\u003e or \u003ccode\u003euri_path=*saved/searches/*\u003c/code\u003e combined with unusual parameters or error codes (e.g., \u003ccode\u003estatus\u003c/code\u003e codes in the 4xx or 5xx range) as indicated in the original analytic logic.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T13:42:50Z","date_published":"2026-07-03T13:42:50Z","id":"https://feed.craftedsignal.io/briefs/2026-07-splunk-rce-cve-2022-43571/","summary":"An authenticated user can exploit CVE-2022-43571, a code injection vulnerability within Splunk Enterprise or Splunk Cloud's dashboard PDF generation component, leading to remote code execution (RCE) and potential compromise of the Splunk environment.","title":"Splunk Code Injection via Custom Dashboard Leading to RCE (CVE-2022-43571)","url":"https://feed.craftedsignal.io/briefs/2026-07-splunk-rce-cve-2022-43571/"},{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*","cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":5.4,"id":"CVE-2024-36992"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Splunk Enterprise","Splunk Cloud","Splunk Enterprise Security"],"_cs_severities":["high"],"_cs_tags":["xss","privilege-escalation","splunk","cve","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eA critical cross-site scripting (XSS) vulnerability, identified as CVE-2024-36992, affects Splunk Enterprise and Splunk Cloud Platform. This flaw allows attackers to achieve privilege escalation by exploiting custom URLs within Splunk dashboards. Malicious POST requests targeting the \u003ccode\u003esplunk_internal_metrics/data/ui/views\u003c/code\u003e endpoint can inject and execute arbitrary JavaScript. Upon execution, typically when a privileged user views the compromised dashboard, the XSS payload facilitates the creation of new user accounts with elevated access permissions on the Splunk server. This vulnerability presents a significant risk, enabling unauthorized administrative control and potential data exfiltration or manipulation within the Splunk environment. Defenders should prioritize patching and monitoring for the specific POST requests and subsequent user creation events.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access / Vulnerability Exploitation (T1189):\u003c/strong\u003e An attacker, potentially with low-privileged access, injects malicious JavaScript into a custom URL field within a Splunk dashboard, exploiting the CVE-2024-36992 XSS vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Delivery (T1059.004):\u003c/strong\u003e The crafted XSS payload is delivered via a POST request to the internal Splunk endpoint \u003ccode\u003e/splunk_internal_metrics/data/ui/views\u003c/code\u003e, embedding the malicious script within the dashboard configuration.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTriggering (T1203):\u003c/strong\u003e A privileged Splunk user (e.g., an administrator) accesses or views the compromised dashboard containing the malicious custom URL.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eClient-Side Execution (T1059.004):\u003c/strong\u003e The embedded JavaScript executes in the context of the privileged user's browser, leveraging their authenticated session within the Splunk interface.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation Action (T1068 / T1098):\u003c/strong\u003e The executed script issues commands to the Splunk API, such as \u003ccode\u003eaudittrail\u003c/code\u003e actions, to create a new user account with administrative or other high-level privileges.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence / Unauthorized Account Creation (T1136.001):\u003c/strong\u003e A new user account with elevated permissions is successfully created on the Splunk server, granting the attacker persistent access and control.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePost-Exploitation (TA0011):\u003c/strong\u003e The attacker utilizes the newly created privileged account to perform further malicious activities, including data exfiltration, system configuration changes, or deployment of additional implants.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2024-36992 leads directly to privilege escalation within the Splunk environment. This enables unauthorized attackers to create new user accounts with administrative or other high-level privileges, effectively gaining full control over the Splunk instance. Such compromise can result in sensitive data exfiltration, manipulation of critical log data, disruption of Splunk services, or the use of the Splunk server as a pivot point for further attacks against integrated systems. While the number of victims is not specified, all organizations utilizing affected versions of Splunk Enterprise and Splunk Cloud Platform are at risk of severe data integrity and confidentiality breaches.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2024-36992 immediately by applying the latest security updates provided by Splunk, available through the official advisory at \u003ccode\u003ehttps://advisory.splunk.com/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u0026quot;Detect POST Requests to Splunk UI View Endpoint (CVE-2024-36992)\u0026quot; to identify suspicious activity targeting the \u003ccode\u003esplunk_internal_metrics/data/ui/views\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u0026quot;Detect High-Privilege Splunk User Creation (CVE-2024-36992 Context)\u0026quot; to monitor for unauthorized administrative user account creation.\u003c/li\u003e\n\u003cli\u003eEnsure full logging is enabled for Splunk's internal indexes, specifically \u003ccode\u003e_audit\u003c/code\u003e and \u003ccode\u003e_internal\u003c/code\u003e, as these are critical log sources for detecting this threat.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T13:41:47Z","date_published":"2026-07-03T13:41:47Z","id":"https://feed.craftedsignal.io/briefs/2026-07-splunk-xss-privesc/","summary":"A critical cross-site scripting (XSS) vulnerability, identified as CVE-2024-36992, affects Splunk Enterprise and Splunk Cloud Platform, allowing attackers to achieve privilege escalation by exploiting custom URLs within Splunk dashboards via malicious POST requests to the `splunk_internal_metrics/data/ui/views` endpoint, leading to the creation of new user accounts with elevated access permissions on the Splunk server.","title":"Splunk XSS Privilege Escalation via Custom URLs in Dashboard (CVE-2024-36992)","url":"https://feed.craftedsignal.io/briefs/2026-07-splunk-xss-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed - Cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*","version":"https://jsonfeed.org/version/1.1"}