<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Splunk Enterprise (&lt; 8.1.12) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/splunk-enterprise--8.1.12/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 13:42:50 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/splunk-enterprise--8.1.12/feed.xml" rel="self" type="application/rss+xml"/><item><title>Splunk Code Injection via Custom Dashboard Leading to RCE (CVE-2022-43571)</title><link>https://feed.craftedsignal.io/briefs/2026-07-splunk-rce-cve-2022-43571/</link><pubDate>Fri, 03 Jul 2026 13:42:50 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-splunk-rce-cve-2022-43571/</guid><description>An authenticated user can exploit CVE-2022-43571, a code injection vulnerability within Splunk Enterprise or Splunk Cloud's dashboard PDF generation component, leading to remote code execution (RCE) and potential compromise of the Splunk environment.</description><content:encoded><![CDATA[<p>This brief details CVE-2022-43571, a critical code injection vulnerability affecting Splunk Enterprise versions prior to 8.2.9, 8.1.12, and 9.0.2, as well as Splunk Cloud. An authenticated user can leverage this flaw by injecting arbitrary code into the dashboard PDF generation component, enabling remote code execution (RCE) on the underlying Splunk server. This vulnerability, initially identified in late 2022, can lead to complete compromise of the Splunk environment, unauthorized access, and arbitrary command execution. While the original detection logic for this vulnerability has been deprecated due to the affected versions reaching End of Life (EOL) and the detection's imperfect capture of malicious activity, the vulnerability itself remains a significant risk for any unpatched or unsupported Splunk instances.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access</strong>: An authenticated attacker gains access to the Splunk Web User Interface (UI), potentially via compromised or stolen credentials.</li>
<li><strong>Interaction</strong>: The attacker navigates to a Splunk dashboard or a saved search configured to allow PDF exports.</li>
<li><strong>Malicious Input</strong>: The attacker crafts a specific HTTP request targeting the PDF generation endpoint (e.g., <code>/en-US/splunkd/__raw/services/pdfgen/render</code>) and injects malicious code into a vulnerable input parameter, such as the <code>file=export</code> parameter.</li>
<li><strong>Code Injection</strong>: The Splunk server's dashboard PDF generation component processes the attacker's input without adequate sanitization, resulting in the injection of the malicious code into the server-side process.</li>
<li><strong>Remote Execution</strong>: The injected code is executed on the underlying server with the privileges of the Splunk process, successfully achieving remote code execution (RCE).</li>
<li><strong>System Compromise</strong>: With RCE, the attacker gains full control over the Splunk host, enabling them to execute arbitrary commands, exfiltrate sensitive data, or establish further persistence within the network.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2022-43571 allows an attacker to achieve remote code execution on the Splunk instance, leading to a complete compromise of the Splunk environment. This could result in unauthorized access to sensitive data indexed by Splunk, arbitrary command execution on the host server, and the ability to pivot to other systems within the compromised network. While the affected Splunk versions (8.1.12, 8.2.9, and 9.0.2) have reached End of Life (EOL) between 2023 and 2024, organizations still running these unsupported versions remain at severe risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2022-43571 immediately by upgrading Splunk Enterprise instances beyond versions 8.2.9, 8.1.12, and 9.0.2.</li>
<li>Ensure Splunk Cloud deployments are updated to the latest secure versions.</li>
<li>Monitor Splunk's <code>_internal</code> index for suspicious activity, specifically related to <code>uri_path=*/data/ui/views/*</code> or <code>uri_path=*saved/searches/*</code> combined with unusual parameters or error codes (e.g., <code>status</code> codes in the 4xx or 5xx range) as indicated in the original analytic logic.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>splunk</category><category>vulnerability</category><category>rce</category><category>code-injection</category><category>application-vulnerability</category></item></channel></rss>