<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Splunk Enterprise for Windows (Versions &lt; 9.3.0) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/splunk-enterprise-for-windows-versions--9.3.0/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 13:38:10 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/splunk-enterprise-for-windows-versions--9.3.0/feed.xml" rel="self" type="application/rss+xml"/><item><title>Splunk RCE Through Arbitrary File Write to Windows System Root</title><link>https://feed.craftedsignal.io/briefs/2026-07-splunk-rce-arbitrary-file-write/</link><pubDate>Fri, 03 Jul 2026 13:38:10 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-splunk-rce-arbitrary-file-write/</guid><description>A critical vulnerability (CVE-2024-45731, CVE-2024-45733) in Splunk Enterprise for Windows versions below 9.3.0, 9.2.3, and 9.1.6 allows low-privileged users to perform arbitrary file writes to the Windows system root directory (C:\Windows\System32) when Splunk is installed on a separate drive, enabling remote code execution through insecure session storage configuration.</description><content:encoded><![CDATA[<p>This threat concerns two critical vulnerabilities, CVE-2024-45731 and CVE-2024-45733, identified in Splunk Enterprise for Windows. Specifically, versions prior to 9.3.0, 9.2.3, and 9.1.6 are affected. These flaws enable a low-privileged user, even without 'admin' or 'power' Splunk roles, to write arbitrary files to the Windows system root directory, typically <code>C:\Windows\System32</code>, especially when Splunk is installed on a drive separate from the system root. This arbitrary file write, combined with an insecure session storage configuration, creates a path for remote code execution. Attackers can leverage this to upload and execute malicious code, leading to full system compromise. Detection engineers should prioritize identifying attempts to access vulnerable Splunk API endpoints and monitoring for unusual application creation events by unprivileged users.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access</strong>: An attacker gains or already possesses a low-privileged user account on a Splunk Enterprise for Windows instance, lacking 'admin' or 'power' capabilities.</li>
<li><strong>Exploit Initiation</strong>: The attacker sends a specially crafted HTTP POST request to the vulnerable Splunk API endpoint, <code>/search/apps/local/_new</code>.</li>
<li><strong>Arbitrary File Write (CVE-2024-45731)</strong>: The successful request exploits CVE-2024-45731, allowing the attacker to write a malicious file (e.g., a DLL, executable, or script) to the Windows system root directory (<code>C:\Windows\System32</code>). This is particularly effective when Splunk is installed on a non-system drive.</li>
<li><strong>Code Upload via Insecure Session Storage (CVE-2024-45733)</strong>: The attacker leverages CVE-2024-45733's insecure session storage configuration to facilitate the upload and persistent storage of the malicious code.</li>
<li><strong>Remote Code Execution</strong>: The malicious file previously written to <code>C:\Windows\System32</code> is subsequently executed, leading to remote code execution on the underlying Splunk server.</li>
<li><strong>System Compromise</strong>: With RCE, the attacker gains elevated privileges and full control over the compromised Splunk server, enabling further actions.</li>
<li><strong>Post-Exploitation Activities</strong>: The attacker can now perform actions such as data exfiltration from Splunk's internal data, deploy additional malware for persistence, establish lateral movement, or disrupt Splunk operations.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of these vulnerabilities leads to remote code execution on the affected Splunk Enterprise for Windows server. This grants the attacker full control over the compromised system, potentially with SYSTEM-level privileges if the Splunk service runs as such. Consequences include unauthorized access to sensitive data processed and stored by Splunk, complete compromise of the Splunk environment, and the ability to pivot to other systems within the network. This can result in significant data breaches, operational disruption, and the establishment of persistent backdoors, impacting the integrity and availability of critical security and operational data.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch Immediately</strong>: Apply patches for CVE-2024-45731 and CVE-2024-45733 by upgrading Splunk Enterprise for Windows to versions 9.3.0, 9.2.3, 9.1.6, or newer as per Splunk's advisories.</li>
<li><strong>Deploy Detection Rules</strong>: Deploy the &quot;Detect CVE-2024-45731/CVE-2024-45733 Exploitation Attempt - Splunk Vulnerable Endpoint Access&quot; and &quot;Detect CVE-2024-45731/CVE-2024-45733 Exploitation - Splunk Low-Privilege App Creation Error&quot; Sigma rules to your SIEM.</li>
<li><strong>Monitor Splunk Internal Logs</strong>: Ensure that <code>_internal</code> index logs, specifically <code>splunkd_access</code> and <code>splunk_python</code> sourcetypes, are being collected and monitored for suspicious activity.</li>
<li><strong>Investigate Detections</strong>: Investigate any alerts generated by the provided Sigma rules for activities related to the <code>*/search/apps/local/_new</code> endpoint or privilege errors for low-privileged users.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>application-vulnerability</category><category>rce</category><category>file-write</category><category>privilege-escalation</category><category>splunk</category><category>windows</category></item></channel></rss>