{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3asplunksplunkenterprise/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*","cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":8.8,"id":"CVE-2022-43571"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Splunk Enterprise (\u003c 8.2.9)","Splunk Enterprise (\u003c 8.1.12)","Splunk Enterprise (\u003c 9.0.2)","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["splunk","vulnerability","rce","code-injection","application-vulnerability"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis brief details CVE-2022-43571, a critical code injection vulnerability affecting Splunk Enterprise versions prior to 8.2.9, 8.1.12, and 9.0.2, as well as Splunk Cloud. An authenticated user can leverage this flaw by injecting arbitrary code into the dashboard PDF generation component, enabling remote code execution (RCE) on the underlying Splunk server. This vulnerability, initially identified in late 2022, can lead to complete compromise of the Splunk environment, unauthorized access, and arbitrary command execution. While the original detection logic for this vulnerability has been deprecated due to the affected versions reaching End of Life (EOL) and the detection's imperfect capture of malicious activity, the vulnerability itself remains a significant risk for any unpatched or unsupported Splunk instances.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: An authenticated attacker gains access to the Splunk Web User Interface (UI), potentially via compromised or stolen credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInteraction\u003c/strong\u003e: The attacker navigates to a Splunk dashboard or a saved search configured to allow PDF exports.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Input\u003c/strong\u003e: The attacker crafts a specific HTTP request targeting the PDF generation endpoint (e.g., \u003ccode\u003e/en-US/splunkd/__raw/services/pdfgen/render\u003c/code\u003e) and injects malicious code into a vulnerable input parameter, such as the \u003ccode\u003efile=export\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Injection\u003c/strong\u003e: The Splunk server's dashboard PDF generation component processes the attacker's input without adequate sanitization, resulting in the injection of the malicious code into the server-side process.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRemote Execution\u003c/strong\u003e: The injected code is executed on the underlying server with the privileges of the Splunk process, successfully achieving remote code execution (RCE).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSystem Compromise\u003c/strong\u003e: With RCE, the attacker gains full control over the Splunk host, enabling them to execute arbitrary commands, exfiltrate sensitive data, or establish further persistence within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2022-43571 allows an attacker to achieve remote code execution on the Splunk instance, leading to a complete compromise of the Splunk environment. This could result in unauthorized access to sensitive data indexed by Splunk, arbitrary command execution on the host server, and the ability to pivot to other systems within the compromised network. While the affected Splunk versions (8.1.12, 8.2.9, and 9.0.2) have reached End of Life (EOL) between 2023 and 2024, organizations still running these unsupported versions remain at severe risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2022-43571 immediately by upgrading Splunk Enterprise instances beyond versions 8.2.9, 8.1.12, and 9.0.2.\u003c/li\u003e\n\u003cli\u003eEnsure Splunk Cloud deployments are updated to the latest secure versions.\u003c/li\u003e\n\u003cli\u003eMonitor Splunk's \u003ccode\u003e_internal\u003c/code\u003e index for suspicious activity, specifically related to \u003ccode\u003euri_path=*/data/ui/views/*\u003c/code\u003e or \u003ccode\u003euri_path=*saved/searches/*\u003c/code\u003e combined with unusual parameters or error codes (e.g., \u003ccode\u003estatus\u003c/code\u003e codes in the 4xx or 5xx range) as indicated in the original analytic logic.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T13:42:50Z","date_published":"2026-07-03T13:42:50Z","id":"https://feed.craftedsignal.io/briefs/2026-07-splunk-rce-cve-2022-43571/","summary":"An authenticated user can exploit CVE-2022-43571, a code injection vulnerability within Splunk Enterprise or Splunk Cloud's dashboard PDF generation component, leading to remote code execution (RCE) and potential compromise of the Splunk environment.","title":"Splunk Code Injection via Custom Dashboard Leading to RCE (CVE-2022-43571)","url":"https://feed.craftedsignal.io/briefs/2026-07-splunk-rce-cve-2022-43571/"},{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*","cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":5.4,"id":"CVE-2024-36992"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Splunk Enterprise","Splunk Cloud","Splunk Enterprise Security"],"_cs_severities":["high"],"_cs_tags":["xss","privilege-escalation","splunk","cve","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eA critical cross-site scripting (XSS) vulnerability, identified as CVE-2024-36992, affects Splunk Enterprise and Splunk Cloud Platform. This flaw allows attackers to achieve privilege escalation by exploiting custom URLs within Splunk dashboards. Malicious POST requests targeting the \u003ccode\u003esplunk_internal_metrics/data/ui/views\u003c/code\u003e endpoint can inject and execute arbitrary JavaScript. Upon execution, typically when a privileged user views the compromised dashboard, the XSS payload facilitates the creation of new user accounts with elevated access permissions on the Splunk server. This vulnerability presents a significant risk, enabling unauthorized administrative control and potential data exfiltration or manipulation within the Splunk environment. Defenders should prioritize patching and monitoring for the specific POST requests and subsequent user creation events.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access / Vulnerability Exploitation (T1189):\u003c/strong\u003e An attacker, potentially with low-privileged access, injects malicious JavaScript into a custom URL field within a Splunk dashboard, exploiting the CVE-2024-36992 XSS vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Delivery (T1059.004):\u003c/strong\u003e The crafted XSS payload is delivered via a POST request to the internal Splunk endpoint \u003ccode\u003e/splunk_internal_metrics/data/ui/views\u003c/code\u003e, embedding the malicious script within the dashboard configuration.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTriggering (T1203):\u003c/strong\u003e A privileged Splunk user (e.g., an administrator) accesses or views the compromised dashboard containing the malicious custom URL.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eClient-Side Execution (T1059.004):\u003c/strong\u003e The embedded JavaScript executes in the context of the privileged user's browser, leveraging their authenticated session within the Splunk interface.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation Action (T1068 / T1098):\u003c/strong\u003e The executed script issues commands to the Splunk API, such as \u003ccode\u003eaudittrail\u003c/code\u003e actions, to create a new user account with administrative or other high-level privileges.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence / Unauthorized Account Creation (T1136.001):\u003c/strong\u003e A new user account with elevated permissions is successfully created on the Splunk server, granting the attacker persistent access and control.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePost-Exploitation (TA0011):\u003c/strong\u003e The attacker utilizes the newly created privileged account to perform further malicious activities, including data exfiltration, system configuration changes, or deployment of additional implants.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2024-36992 leads directly to privilege escalation within the Splunk environment. This enables unauthorized attackers to create new user accounts with administrative or other high-level privileges, effectively gaining full control over the Splunk instance. Such compromise can result in sensitive data exfiltration, manipulation of critical log data, disruption of Splunk services, or the use of the Splunk server as a pivot point for further attacks against integrated systems. While the number of victims is not specified, all organizations utilizing affected versions of Splunk Enterprise and Splunk Cloud Platform are at risk of severe data integrity and confidentiality breaches.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2024-36992 immediately by applying the latest security updates provided by Splunk, available through the official advisory at \u003ccode\u003ehttps://advisory.splunk.com/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u0026quot;Detect POST Requests to Splunk UI View Endpoint (CVE-2024-36992)\u0026quot; to identify suspicious activity targeting the \u003ccode\u003esplunk_internal_metrics/data/ui/views\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u0026quot;Detect High-Privilege Splunk User Creation (CVE-2024-36992 Context)\u0026quot; to monitor for unauthorized administrative user account creation.\u003c/li\u003e\n\u003cli\u003eEnsure full logging is enabled for Splunk's internal indexes, specifically \u003ccode\u003e_audit\u003c/code\u003e and \u003ccode\u003e_internal\u003c/code\u003e, as these are critical log sources for detecting this threat.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T13:41:47Z","date_published":"2026-07-03T13:41:47Z","id":"https://feed.craftedsignal.io/briefs/2026-07-splunk-xss-privesc/","summary":"A critical cross-site scripting (XSS) vulnerability, identified as CVE-2024-36992, affects Splunk Enterprise and Splunk Cloud Platform, allowing attackers to achieve privilege escalation by exploiting custom URLs within Splunk dashboards via malicious POST requests to the `splunk_internal_metrics/data/ui/views` endpoint, leading to the creation of new user accounts with elevated access permissions on the Splunk server.","title":"Splunk XSS Privilege Escalation via Custom URLs in Dashboard (CVE-2024-36992)","url":"https://feed.craftedsignal.io/briefs/2026-07-splunk-xss-privesc/"},{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*"],"_cs_cves":[{"cvss":5.3,"id":"CVE-2021-33845"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["user-enumeration","splunk","authentication","application"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis brief describes detection logic aimed at identifying attempts to enumerate valid usernames within Splunk Enterprise or Splunk Cloud environments. Threat actors initiate numerous failed authentication attempts from a single source IP address against a Splunk instance's login interface. By observing the responses (e.g., specific error messages or timing differences), attackers can discern which usernames are valid, even if the password is incorrect. This activity is a critical precursor to more advanced attacks such as password spraying or brute-force credential attacks, as outlined in the linked Splunk security content. While the detection specifically targets user enumeration, it can also help identify broader credential-based attack campaigns. The behavior is observable within Splunk's internal \u003ccode\u003e_audit\u003c/code\u003e index, which records authentication events. A related security advisory for Splunk's login page, CVE-2021-33845, pertains to a Cross-site Scripting vulnerability, though this brief's detection focuses on enumeration behavior rather than direct exploitation of that specific CVE.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance \u0026amp; Target Identification\u003c/strong\u003e: Attacker identifies a publicly accessible Splunk instance via open-source intelligence or scanning.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Enumeration Attempt\u003c/strong\u003e: Attacker initiates multiple authentication attempts using common or guessed usernames (e.g., \u003ccode\u003eadmin\u003c/code\u003e, \u003ccode\u003esplunkadmin\u003c/code\u003e, \u003ccode\u003euser1\u003c/code\u003e) combined with incorrect passwords.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFailed Authentication Logging\u003c/strong\u003e: The Splunk instance processes these login attempts and logs failures (action=login, status=failure) in its internal \u003ccode\u003e_audit\u003c/code\u003e index.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eResponse Analysis\u003c/strong\u003e: Attacker analyzes the HTTP responses or error messages from the Splunk login interface, or relies on the sheer volume of failed attempts, to distinguish between invalid usernames and valid usernames with incorrect passwords.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUsername List Generation\u003c/strong\u003e: A list of confirmed valid Splunk usernames is compiled based on the enumeration results.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential-Based Attack Preparation\u003c/strong\u003e: The attacker uses the gathered valid usernames for subsequent credential-based attacks such as password spraying or brute-forcing.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access Attempt\u003c/strong\u003e: Attacker attempts to log into the Splunk instance using the valid usernames and compromised or guessed passwords.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnauthorized Access \u0026amp; Impact\u003c/strong\u003e: Successful login grants unauthorized access to the Splunk environment, potentially leading to sensitive data exfiltration, dashboard manipulation, or further compromise of integrated systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful user enumeration provides threat actors with a critical piece of information—valid usernames—that significantly streamlines subsequent credential-based attacks. If these attacks succeed, they can lead to unauthorized access to the Splunk environment. This unauthorized access can result in the exposure, modification, or deletion of sensitive enterprise data, compromise of security monitoring capabilities, and serve as a pivot point for lateral movement into other systems. The integrity and confidentiality of data managed or monitored by Splunk instances are at severe risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eReview the \u003ccode\u003e_audit\u003c/code\u003e index for \u003ccode\u003eaction=login\u003c/code\u003e events with \u003ccode\u003estatus=failure\u003c/code\u003e that show a high count from a single \u003ccode\u003esrc\u003c/code\u003e IP address targeting different \u003ccode\u003euser\u003c/code\u003e accounts, indicating potential user enumeration attempts.\u003c/li\u003e\n\u003cli\u003eImplement strong account lockout policies within Splunk to deter brute-force and password spraying attacks that leverage enumerated usernames.\u003c/li\u003e\n\u003cli\u003eEnsure multi-factor authentication (MFA) is enforced for all Splunk user accounts, especially those with administrative privileges.\u003c/li\u003e\n\u003cli\u003eMonitor for high volumes of failed login attempts against your Splunk infrastructure and investigate their source and targeted accounts.\u003c/li\u003e\n\u003cli\u003eRegularly rotate credentials for Splunk accounts and enforce complex password requirements.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T13:40:29Z","date_published":"2026-07-03T13:40:29Z","id":"https://feed.craftedsignal.io/briefs/2026-07-splunk-user-enumeration/","summary":"An attacker is attempting to enumerate valid Splunk usernames by repeatedly submitting failed authentication attempts from a single source, as detected by monitoring the `_audit` index for multiple login failures, which is a precursor to credential-based attacks like password spraying or brute force, potentially leading to unauthorized access and sensitive data exposure.","title":"Splunk User Enumeration Attempt Detection","url":"https://feed.craftedsignal.io/briefs/2026-07-splunk-user-enumeration/"},{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:splunk:cloud:*:*:*:*:*:*:*:*","cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*"],"_cs_cves":[{"cvss":8,"id":"CVE-2023-46214"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Splunk Enterprise \u003c 9.0.7","Splunk Enterprise \u003c 9.1.2","Splunk Cloud Platform \u003c 9.0.2308","Splunk Cloud Platform \u003c 9.1.2308"],"_cs_severities":["critical"],"_cs_tags":["application","rce","splunk","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eAttackers are targeting Splunk Enterprise and Splunk Cloud Platform instances by exploiting CVE-2023-46214, an issue related to the improper handling of user-supplied Extensible Stylesheet Language Transformations (XSLT). This vulnerability, affecting Splunk Enterprise versions prior to 9.0.7 and 9.1.2, and Splunk Cloud Platform versions prior to 9.0.2308 and 9.1.2308, allows an authenticated user to achieve remote code execution on the underlying Splunk server. The attack typically involves crafting a malicious XSLT payload and submitting it through an interface that processes user-controlled XSLT. Successful exploitation can grant threat actors full control over the Splunk instance, enabling unauthorized data access, system modification, and further lateral movement within the compromised network. Defenders should prioritize patching and monitoring for indicators of attempted exploitation in their \u003ccode\u003esplunkd_ui\u003c/code\u003e logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access / Account Compromise\u003c/strong\u003e: An attacker gains access to a valid Splunk user account or identifies a publicly accessible endpoint that processes user-supplied XSLT without proper sanitization.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious XSLT Crafting\u003c/strong\u003e: The attacker develops a specialized XSLT file containing malicious code designed to exploit CVE-2023-46214, targeting the Splunk server's underlying operating system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eXSLT Submission\u003c/strong\u003e: The malicious XSLT payload is submitted to the vulnerable Splunk instance, typically through an API endpoint or UI feature that accepts XSLT definitions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Trigger\u003c/strong\u003e: The Splunk instance attempts to process the user-supplied XSLT, which triggers the remote code execution vulnerability (CVE-2023-46214).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Execution\u003c/strong\u003e: The malicious XSLT causes the Splunk server to execute arbitrary commands under the privileges of the Splunk daemon.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePost-Exploitation Actions\u003c/strong\u003e: The attacker runs commands on the Splunk server, such as creating new user accounts, deploying backdoors, or executing reconnaissance tools.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact\u003c/strong\u003e: The attacker proceeds with objectives such as data exfiltration from Splunk indexes, system compromise, or using the Splunk server as a pivot point for lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2023-46214 leads to critical consequences for affected organizations. Attackers can achieve full system compromise of the Splunk server, gaining complete control over the application and the underlying host. This allows for unauthorized access to sensitive data stored within Splunk indexes, potentially exfiltrating proprietary information, customer data, or security logs. Furthermore, the compromised Splunk instance can be used as a beachhead for lateral movement across the network, enabling broader attacks and impacting multiple systems. The number of potential victims is significant, as Splunk is widely deployed across various sectors for security and operational intelligence.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch all Splunk Enterprise instances to versions 9.0.7 or later, or 9.1.2 or later, and Splunk Cloud Platform instances to versions 9.0.2308 or later, or 9.1.2308 or later to remediate CVE-2023-46214.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect potential exploitation attempts against Splunk instances.\u003c/li\u003e\n\u003cli\u003eReview \u003ccode\u003esplunkd_ui\u003c/code\u003e logs for URIs containing \u003ccode\u003eNO_BINARY_CHECK=1\u003c/code\u003e, \u003ccode\u003einput.path=*.xsl\u003c/code\u003e, or \u003ccode\u003edispatch*.xsl\u003c/code\u003e which could indicate ongoing or attempted exploitation of CVE-2023-46214.\u003c/li\u003e\n\u003cli\u003eInvestigate any detections of the provided Sigma rule, paying close attention to the \u003ccode\u003eclientip\u003c/code\u003e, \u003ccode\u003euseragent\u003c/code\u003e, and \u003ccode\u003estatus\u003c/code\u003e fields to determine the nature and source of the activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T13:39:13Z","date_published":"2026-07-03T13:39:13Z","id":"https://feed.craftedsignal.io/briefs/2026-07-splunk-rce-xslt/","summary":"This brief identifies potential remote code execution (RCE) attempts targeting Splunk servers by exploiting CVE-2023-46214, a vulnerability related to user-supplied Extensible Stylesheet Language Transformations (XSLT) that allows attackers to execute arbitrary code leading to full system compromise.","title":"Splunk RCE via User XSLT Exploitation (CVE-2023-46214)","url":"https://feed.craftedsignal.io/briefs/2026-07-splunk-rce-xslt/"},{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*","cpe:2.3:a:splunk:splunk:9.3.0:*:*:*:enterprise:*:*:*"],"_cs_cves":[{"cvss":8,"id":"CVE-2024-45731"},{"cvss":8.8,"id":"CVE-2024-45733"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Splunk Enterprise for Windows (versions \u003c 9.3.0)","Splunk Enterprise for Windows (versions \u003c 9.2.3)","Splunk Enterprise for Windows (versions \u003c 9.1.6)"],"_cs_severities":["high"],"_cs_tags":["application-vulnerability","rce","file-write","privilege-escalation","splunk","windows"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis threat concerns two critical vulnerabilities, CVE-2024-45731 and CVE-2024-45733, identified in Splunk Enterprise for Windows. Specifically, versions prior to 9.3.0, 9.2.3, and 9.1.6 are affected. These flaws enable a low-privileged user, even without 'admin' or 'power' Splunk roles, to write arbitrary files to the Windows system root directory, typically \u003ccode\u003eC:\\Windows\\System32\u003c/code\u003e, especially when Splunk is installed on a drive separate from the system root. This arbitrary file write, combined with an insecure session storage configuration, creates a path for remote code execution. Attackers can leverage this to upload and execute malicious code, leading to full system compromise. Detection engineers should prioritize identifying attempts to access vulnerable Splunk API endpoints and monitoring for unusual application creation events by unprivileged users.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: An attacker gains or already possesses a low-privileged user account on a Splunk Enterprise for Windows instance, lacking 'admin' or 'power' capabilities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploit Initiation\u003c/strong\u003e: The attacker sends a specially crafted HTTP POST request to the vulnerable Splunk API endpoint, \u003ccode\u003e/search/apps/local/_new\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArbitrary File Write (CVE-2024-45731)\u003c/strong\u003e: The successful request exploits CVE-2024-45731, allowing the attacker to write a malicious file (e.g., a DLL, executable, or script) to the Windows system root directory (\u003ccode\u003eC:\\Windows\\System32\u003c/code\u003e). This is particularly effective when Splunk is installed on a non-system drive.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Upload via Insecure Session Storage (CVE-2024-45733)\u003c/strong\u003e: The attacker leverages CVE-2024-45733's insecure session storage configuration to facilitate the upload and persistent storage of the malicious code.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRemote Code Execution\u003c/strong\u003e: The malicious file previously written to \u003ccode\u003eC:\\Windows\\System32\u003c/code\u003e is subsequently executed, leading to remote code execution on the underlying Splunk server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSystem Compromise\u003c/strong\u003e: With RCE, the attacker gains elevated privileges and full control over the compromised Splunk server, enabling further actions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePost-Exploitation Activities\u003c/strong\u003e: The attacker can now perform actions such as data exfiltration from Splunk's internal data, deploy additional malware for persistence, establish lateral movement, or disrupt Splunk operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of these vulnerabilities leads to remote code execution on the affected Splunk Enterprise for Windows server. This grants the attacker full control over the compromised system, potentially with SYSTEM-level privileges if the Splunk service runs as such. Consequences include unauthorized access to sensitive data processed and stored by Splunk, complete compromise of the Splunk environment, and the ability to pivot to other systems within the network. This can result in significant data breaches, operational disruption, and the establishment of persistent backdoors, impacting the integrity and availability of critical security and operational data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch Immediately\u003c/strong\u003e: Apply patches for CVE-2024-45731 and CVE-2024-45733 by upgrading Splunk Enterprise for Windows to versions 9.3.0, 9.2.3, 9.1.6, or newer as per Splunk's advisories.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy Detection Rules\u003c/strong\u003e: Deploy the \u0026quot;Detect CVE-2024-45731/CVE-2024-45733 Exploitation Attempt - Splunk Vulnerable Endpoint Access\u0026quot; and \u0026quot;Detect CVE-2024-45731/CVE-2024-45733 Exploitation - Splunk Low-Privilege App Creation Error\u0026quot; Sigma rules to your SIEM.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor Splunk Internal Logs\u003c/strong\u003e: Ensure that \u003ccode\u003e_internal\u003c/code\u003e index logs, specifically \u003ccode\u003esplunkd_access\u003c/code\u003e and \u003ccode\u003esplunk_python\u003c/code\u003e sourcetypes, are being collected and monitored for suspicious activity.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInvestigate Detections\u003c/strong\u003e: Investigate any alerts generated by the provided Sigma rules for activities related to the \u003ccode\u003e*/search/apps/local/_new\u003c/code\u003e endpoint or privilege errors for low-privileged users.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T13:38:10Z","date_published":"2026-07-03T13:38:10Z","id":"https://feed.craftedsignal.io/briefs/2026-07-splunk-rce-arbitrary-file-write/","summary":"A critical vulnerability (CVE-2024-45731, CVE-2024-45733) in Splunk Enterprise for Windows versions below 9.3.0, 9.2.3, and 9.1.6 allows low-privileged users to perform arbitrary file writes to the Windows system root directory (C:\\Windows\\System32) when Splunk is installed on a separate drive, enabling remote code execution through insecure session storage configuration.","title":"Splunk RCE Through Arbitrary File Write to Windows System Root","url":"https://feed.craftedsignal.io/briefs/2026-07-splunk-rce-arbitrary-file-write/"},{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*"],"_cs_cves":[{"cvss":7.2,"id":"CVE-2024-29945"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Splunk Enterprise (\u003c 9.2.1)","Splunk Enterprise (\u003c 9.1.4)","Splunk Enterprise (\u003c 9.0.9)","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["splunk","vulnerability","token-exposure","log-analysis","application"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis brief details the implications of CVE-2024-29945, a vulnerability affecting Splunk Enterprise versions prior to 9.2.1, 9.1.4, and 9.0.9, as well as Splunk Cloud. The vulnerability causes sensitive authentication tokens, specifically JSON Web Tokens (JWTs), to be inadvertently logged in \u003ccode\u003esplunkd\u003c/code\u003e debug logs when the \u003ccode\u003eJsonWebToken\u003c/code\u003e component is configured for DEBUG level logging. If an attacker gains access to the underlying Splunk server's file system or its internal logs, these exposed tokens can be retrieved and reused to bypass authentication, gaining unauthorized access to the Splunk environment. This could lead to a range of malicious activities, including sensitive data exfiltration, privilege escalation within Splunk, and ultimately, a full compromise of the Splunk deployment. This exposure highlights the critical need for proper log configuration and timely patching to mitigate significant security risks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access to Splunk Server/Logs:\u003c/strong\u003e An attacker first obtains unauthorized access to the Splunk server's underlying operating system or gains privileged access to Splunk's internal logging mechanisms (e.g., via a compromised administrative account or another vulnerability).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLocate Debug Logs:\u003c/strong\u003e The attacker navigates to the Splunk internal log directories (e.g., \u003ccode\u003e/opt/splunk/var/log/splunk/splunkd.log\u003c/code\u003e on Linux) where \u003ccode\u003esplunkd\u003c/code\u003e debug logs are stored.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eIdentify Token Exposure:\u003c/strong\u003e The attacker searches through the \u003ccode\u003esplunkd\u003c/code\u003e logs for entries originating from the \u003ccode\u003eJsonWebToken\u003c/code\u003e component at \u003ccode\u003eDEBUG\u003c/code\u003e log level, specifically looking for messages like \u0026quot;Validating token:\u0026quot;.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExtract JWT:\u003c/strong\u003e The attacker parses the identified log entries to extract the full JSON Web Token (JWT) value, which contains authentication credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eToken Replay/Impersonation:\u003c/strong\u003e The extracted JWT is then used to craft authenticated API requests or session cookies, allowing the attacker to impersonate the legitimate user whose token was exposed.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnauthorized Access to Splunk:\u003c/strong\u003e The attacker gains unauthorized access to the Splunk user's account, bypassing normal authentication processes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Privilege Escalation:\u003c/strong\u003e With compromised access, the attacker can then exfiltrate sensitive data stored or processed by Splunk, create new users, modify configurations, or escalate privileges within the Splunk environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFull Compromise:\u003c/strong\u003e Ultimately, the attacker may achieve full control over the Splunk deployment, leveraging its capabilities for further reconnaissance, lateral movement, or destruction of data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of CVE-2024-29945 is severe, as exposed authentication tokens can serve as direct access keys to a Splunk environment. If successfully exploited, attackers can gain unauthorized access to all data and functionalities accessible by the compromised token's legitimate owner, potentially leading to sensitive data exfiltration, system tampering, and privilege escalation. While specific victim counts are not publicly disclosed, this vulnerability affects widely deployed Splunk Enterprise and Splunk Cloud instances across all sectors. Organizations using affected versions face risks including compliance violations due to data breaches, operational disruption, and significant reputational damage. The ability to bypass authentication can compromise the integrity and confidentiality of an organization's critical monitoring and security intelligence platform.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2024-29945 immediately:\u003c/strong\u003e Update Splunk Enterprise to versions 9.2.1, 9.1.4, 9.0.9, or later to address CVE-2024-29945, which mitigates the token exposure in debug logs.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy the provided Sigma rule:\u003c/strong\u003e Implement the \u0026quot;Detect Splunk Authentication Token Exposure in Debug Logs\u0026quot; Sigma rule in your SIEM to identify instances where JWTs are logged in plain text within \u003ccode\u003esplunkd\u003c/code\u003e debug logs.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eConfigure Splunk logging:\u003c/strong\u003e Review and adjust Splunk logging configurations to ensure \u003ccode\u003eJsonWebToken\u003c/code\u003e component logging is not set to \u003ccode\u003eDEBUG\u003c/code\u003e level in production environments unless absolutely necessary for troubleshooting.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor internal Splunk logs:\u003c/strong\u003e Routinely monitor Splunk internal logs (\u003ccode\u003e_internal\u003c/code\u003e index) for the behavior described in the \u0026quot;Detect Splunk Authentication Token Exposure in Debug Logs\u0026quot; rule, specifically for events containing \u003ccode\u003eValidating token:\u003c/code\u003e from the \u003ccode\u003eJsonWebToken\u003c/code\u003e component.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T13:37:02Z","date_published":"2026-07-03T13:37:02Z","id":"https://feed.craftedsignal.io/briefs/2026-07-splunk-token-exposure/","summary":"A critical vulnerability, CVE-2024-29945, allows for the exposure of authentication tokens in debug logs within Splunk Enterprise and Splunk Cloud, enabling an attacker with access to internal log files to gain unauthorized access, exfiltrate data, and potentially achieve full compromise of the Splunk infrastructure if unpatched versions (prior to 9.2.1, 9.1.4, and 9.0.9 for Enterprise) are in use.","title":"Splunk Authentication Token Exposure in Debug Logs (CVE-2024-29945)","url":"https://feed.craftedsignal.io/briefs/2026-07-splunk-token-exposure/"}],"language":"en","title":"CraftedSignal Threat Feed - Cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*","version":"https://jsonfeed.org/version/1.1"}