CVE-2022-43571

HIGH

Authenticated RCE in Splunk (SimpleXML dashboard PDF generation)

Title source: metasploit

Exploitation Summary

EIP tracks 2 public exploits for CVE-2022-43571. PoCs published by ohnonoyesyes, Maksim Rogov, Danylo Dmytriiev, psytester, including Metasploit module exploits/multi/http/splunk_auth_rce_cve_2022_43571.

AI-analyzed exploit summary This repository contains a writeup and analysis of CVE-2022-43571, a remote code execution vulnerability in Splunk. The author describes their journey to exploit the vulnerability, which involves the Splunk PDF generation utility, but no actual exploit code is provided in the repository.

Description

In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can execute arbitrary code through the dashboard PDF generation component.

Exploits (2)

nomisec WRITEUP

by ohnonoyesyes · poc

https://github.com/ohnonoyesyes/CVE-2022-43571

View Code ZIP pw:eip

This repository contains a writeup and analysis of CVE-2022-43571, a remote code execution vulnerability in Splunk. The author describes their journey to exploit the vulnerability, which involves the Splunk PDF generation utility, but no actual exploit code is provided in the repository.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Theoretical

Target: Splunk (version not specified)

No auth needed

Prerequisites: Access to Splunk instance with vulnerable PDF generation utility

MITRE ATT&CK

T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Maksim Rogov, Danylo Dmytriiev, psytester · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/splunk_auth_rce_cve_2022_43571.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2022-43571, an authenticated RCE vulnerability in Splunk Enterprise. It injects arbitrary Python code into style parameters of a SimpleXML dashboard, which executes when a user triggers the PDF export function.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Splunk Enterprise < 8.1.12, 8.2.0-8.2.9, 9.0.0-9.0.2

Auth required

Prerequisites: Valid Splunk admin credentials · Access to Splunk web interface

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Vendor Advisory

https://research.splunk.com/application/b06b41d7-9570-4985-8137-0784f582a1b3/

Vendor Advisory

https://www.splunk.com/en_us/product-security/announcements/svd-2022-1111.html

Scores

CVSS v3 8.8

EPSS 0.1431

EPSS Percentile 96.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (2)

splunk/splunk 8.1.0 - 8.1.12

splunk/splunk_cloud_platform < 9.0.2209

Published Nov 03, 2022

Tracked Since Feb 18, 2026