<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:* - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/cpes/cpe2.3asplunksplunk_cloud_platform/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 13:42:50 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/cpes/cpe2.3asplunksplunk_cloud_platform/feed.xml" rel="self" type="application/rss+xml"/><item><title>Splunk Code Injection via Custom Dashboard Leading to RCE (CVE-2022-43571)</title><link>https://feed.craftedsignal.io/briefs/2026-07-splunk-rce-cve-2022-43571/</link><pubDate>Fri, 03 Jul 2026 13:42:50 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-splunk-rce-cve-2022-43571/</guid><description>An authenticated user can exploit CVE-2022-43571, a code injection vulnerability within Splunk Enterprise or Splunk Cloud's dashboard PDF generation component, leading to remote code execution (RCE) and potential compromise of the Splunk environment.</description><content:encoded><![CDATA[<p>This brief details CVE-2022-43571, a critical code injection vulnerability affecting Splunk Enterprise versions prior to 8.2.9, 8.1.12, and 9.0.2, as well as Splunk Cloud. An authenticated user can leverage this flaw by injecting arbitrary code into the dashboard PDF generation component, enabling remote code execution (RCE) on the underlying Splunk server. This vulnerability, initially identified in late 2022, can lead to complete compromise of the Splunk environment, unauthorized access, and arbitrary command execution. While the original detection logic for this vulnerability has been deprecated due to the affected versions reaching End of Life (EOL) and the detection's imperfect capture of malicious activity, the vulnerability itself remains a significant risk for any unpatched or unsupported Splunk instances.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access</strong>: An authenticated attacker gains access to the Splunk Web User Interface (UI), potentially via compromised or stolen credentials.</li>
<li><strong>Interaction</strong>: The attacker navigates to a Splunk dashboard or a saved search configured to allow PDF exports.</li>
<li><strong>Malicious Input</strong>: The attacker crafts a specific HTTP request targeting the PDF generation endpoint (e.g., <code>/en-US/splunkd/__raw/services/pdfgen/render</code>) and injects malicious code into a vulnerable input parameter, such as the <code>file=export</code> parameter.</li>
<li><strong>Code Injection</strong>: The Splunk server's dashboard PDF generation component processes the attacker's input without adequate sanitization, resulting in the injection of the malicious code into the server-side process.</li>
<li><strong>Remote Execution</strong>: The injected code is executed on the underlying server with the privileges of the Splunk process, successfully achieving remote code execution (RCE).</li>
<li><strong>System Compromise</strong>: With RCE, the attacker gains full control over the Splunk host, enabling them to execute arbitrary commands, exfiltrate sensitive data, or establish further persistence within the network.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2022-43571 allows an attacker to achieve remote code execution on the Splunk instance, leading to a complete compromise of the Splunk environment. This could result in unauthorized access to sensitive data indexed by Splunk, arbitrary command execution on the host server, and the ability to pivot to other systems within the compromised network. While the affected Splunk versions (8.1.12, 8.2.9, and 9.0.2) have reached End of Life (EOL) between 2023 and 2024, organizations still running these unsupported versions remain at severe risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2022-43571 immediately by upgrading Splunk Enterprise instances beyond versions 8.2.9, 8.1.12, and 9.0.2.</li>
<li>Ensure Splunk Cloud deployments are updated to the latest secure versions.</li>
<li>Monitor Splunk's <code>_internal</code> index for suspicious activity, specifically related to <code>uri_path=*/data/ui/views/*</code> or <code>uri_path=*saved/searches/*</code> combined with unusual parameters or error codes (e.g., <code>status</code> codes in the 4xx or 5xx range) as indicated in the original analytic logic.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>splunk</category><category>vulnerability</category><category>rce</category><category>code-injection</category><category>application-vulnerability</category></item><item><title>Splunk XSS Privilege Escalation via Custom URLs in Dashboard (CVE-2024-36992)</title><link>https://feed.craftedsignal.io/briefs/2026-07-splunk-xss-privesc/</link><pubDate>Fri, 03 Jul 2026 13:41:47 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-splunk-xss-privesc/</guid><description>A critical cross-site scripting (XSS) vulnerability, identified as CVE-2024-36992, affects Splunk Enterprise and Splunk Cloud Platform, allowing attackers to achieve privilege escalation by exploiting custom URLs within Splunk dashboards via malicious POST requests to the `splunk_internal_metrics/data/ui/views` endpoint, leading to the creation of new user accounts with elevated access permissions on the Splunk server.</description><content:encoded><![CDATA[<p>A critical cross-site scripting (XSS) vulnerability, identified as CVE-2024-36992, affects Splunk Enterprise and Splunk Cloud Platform. This flaw allows attackers to achieve privilege escalation by exploiting custom URLs within Splunk dashboards. Malicious POST requests targeting the <code>splunk_internal_metrics/data/ui/views</code> endpoint can inject and execute arbitrary JavaScript. Upon execution, typically when a privileged user views the compromised dashboard, the XSS payload facilitates the creation of new user accounts with elevated access permissions on the Splunk server. This vulnerability presents a significant risk, enabling unauthorized administrative control and potential data exfiltration or manipulation within the Splunk environment. Defenders should prioritize patching and monitoring for the specific POST requests and subsequent user creation events.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access / Vulnerability Exploitation (T1189):</strong> An attacker, potentially with low-privileged access, injects malicious JavaScript into a custom URL field within a Splunk dashboard, exploiting the CVE-2024-36992 XSS vulnerability.</li>
<li><strong>Payload Delivery (T1059.004):</strong> The crafted XSS payload is delivered via a POST request to the internal Splunk endpoint <code>/splunk_internal_metrics/data/ui/views</code>, embedding the malicious script within the dashboard configuration.</li>
<li><strong>Triggering (T1203):</strong> A privileged Splunk user (e.g., an administrator) accesses or views the compromised dashboard containing the malicious custom URL.</li>
<li><strong>Client-Side Execution (T1059.004):</strong> The embedded JavaScript executes in the context of the privileged user's browser, leveraging their authenticated session within the Splunk interface.</li>
<li><strong>Privilege Escalation Action (T1068 / T1098):</strong> The executed script issues commands to the Splunk API, such as <code>audittrail</code> actions, to create a new user account with administrative or other high-level privileges.</li>
<li><strong>Persistence / Unauthorized Account Creation (T1136.001):</strong> A new user account with elevated permissions is successfully created on the Splunk server, granting the attacker persistent access and control.</li>
<li><strong>Post-Exploitation (TA0011):</strong> The attacker utilizes the newly created privileged account to perform further malicious activities, including data exfiltration, system configuration changes, or deployment of additional implants.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2024-36992 leads directly to privilege escalation within the Splunk environment. This enables unauthorized attackers to create new user accounts with administrative or other high-level privileges, effectively gaining full control over the Splunk instance. Such compromise can result in sensitive data exfiltration, manipulation of critical log data, disruption of Splunk services, or the use of the Splunk server as a pivot point for further attacks against integrated systems. While the number of victims is not specified, all organizations utilizing affected versions of Splunk Enterprise and Splunk Cloud Platform are at risk of severe data integrity and confidentiality breaches.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2024-36992 immediately by applying the latest security updates provided by Splunk, available through the official advisory at <code>https://advisory.splunk.com/</code>.</li>
<li>Deploy the provided Sigma rule &quot;Detect POST Requests to Splunk UI View Endpoint (CVE-2024-36992)&quot; to identify suspicious activity targeting the <code>splunk_internal_metrics/data/ui/views</code> endpoint.</li>
<li>Deploy the provided Sigma rule &quot;Detect High-Privilege Splunk User Creation (CVE-2024-36992 Context)&quot; to monitor for unauthorized administrative user account creation.</li>
<li>Ensure full logging is enabled for Splunk's internal indexes, specifically <code>_audit</code> and <code>_internal</code>, as these are critical log sources for detecting this threat.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>xss</category><category>privilege-escalation</category><category>splunk</category><category>cve</category><category>vulnerability</category></item></channel></rss>