{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/splunk-enterprise--8.1.12/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*","cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":8.8,"id":"CVE-2022-43571"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Splunk Enterprise (\u003c 8.2.9)","Splunk Enterprise (\u003c 8.1.12)","Splunk Enterprise (\u003c 9.0.2)","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["splunk","vulnerability","rce","code-injection","application-vulnerability"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis brief details CVE-2022-43571, a critical code injection vulnerability affecting Splunk Enterprise versions prior to 8.2.9, 8.1.12, and 9.0.2, as well as Splunk Cloud. An authenticated user can leverage this flaw by injecting arbitrary code into the dashboard PDF generation component, enabling remote code execution (RCE) on the underlying Splunk server. This vulnerability, initially identified in late 2022, can lead to complete compromise of the Splunk environment, unauthorized access, and arbitrary command execution. While the original detection logic for this vulnerability has been deprecated due to the affected versions reaching End of Life (EOL) and the detection's imperfect capture of malicious activity, the vulnerability itself remains a significant risk for any unpatched or unsupported Splunk instances.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: An authenticated attacker gains access to the Splunk Web User Interface (UI), potentially via compromised or stolen credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInteraction\u003c/strong\u003e: The attacker navigates to a Splunk dashboard or a saved search configured to allow PDF exports.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Input\u003c/strong\u003e: The attacker crafts a specific HTTP request targeting the PDF generation endpoint (e.g., \u003ccode\u003e/en-US/splunkd/__raw/services/pdfgen/render\u003c/code\u003e) and injects malicious code into a vulnerable input parameter, such as the \u003ccode\u003efile=export\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Injection\u003c/strong\u003e: The Splunk server's dashboard PDF generation component processes the attacker's input without adequate sanitization, resulting in the injection of the malicious code into the server-side process.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRemote Execution\u003c/strong\u003e: The injected code is executed on the underlying server with the privileges of the Splunk process, successfully achieving remote code execution (RCE).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSystem Compromise\u003c/strong\u003e: With RCE, the attacker gains full control over the Splunk host, enabling them to execute arbitrary commands, exfiltrate sensitive data, or establish further persistence within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2022-43571 allows an attacker to achieve remote code execution on the Splunk instance, leading to a complete compromise of the Splunk environment. This could result in unauthorized access to sensitive data indexed by Splunk, arbitrary command execution on the host server, and the ability to pivot to other systems within the compromised network. While the affected Splunk versions (8.1.12, 8.2.9, and 9.0.2) have reached End of Life (EOL) between 2023 and 2024, organizations still running these unsupported versions remain at severe risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2022-43571 immediately by upgrading Splunk Enterprise instances beyond versions 8.2.9, 8.1.12, and 9.0.2.\u003c/li\u003e\n\u003cli\u003eEnsure Splunk Cloud deployments are updated to the latest secure versions.\u003c/li\u003e\n\u003cli\u003eMonitor Splunk's \u003ccode\u003e_internal\u003c/code\u003e index for suspicious activity, specifically related to \u003ccode\u003euri_path=*/data/ui/views/*\u003c/code\u003e or \u003ccode\u003euri_path=*saved/searches/*\u003c/code\u003e combined with unusual parameters or error codes (e.g., \u003ccode\u003estatus\u003c/code\u003e codes in the 4xx or 5xx range) as indicated in the original analytic logic.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T13:42:50Z","date_published":"2026-07-03T13:42:50Z","id":"https://feed.craftedsignal.io/briefs/2026-07-splunk-rce-cve-2022-43571/","summary":"An authenticated user can exploit CVE-2022-43571, a code injection vulnerability within Splunk Enterprise or Splunk Cloud's dashboard PDF generation component, leading to remote code execution (RCE) and potential compromise of the Splunk environment.","title":"Splunk Code Injection via Custom Dashboard Leading to RCE (CVE-2022-43571)","url":"https://feed.craftedsignal.io/briefs/2026-07-splunk-rce-cve-2022-43571/"}],"language":"en","title":"CraftedSignal Threat Feed - Splunk Enterprise (\u003c 8.1.12)","version":"https://jsonfeed.org/version/1.1"}