CVE-2023-32707

HIGH

Splunk Enterprise <9.0.5 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2023-32707. PoCs published by Redway Security, 9xN, Mr Hack (try_to_hack) Santiago Lopez, Heyder Andrade, Redway Security <redwaysecurity.com>, including Metasploit module exploits/multi/http/splunk_privilege_escalation_cve_2023_32707.

AI-analyzed exploit summary This exploit leverages CVE-2023-32707 to escalate privileges in Splunk by changing the password of a target user (e.g., admin) if the attacker's role has the 'edit_user' capability. It authenticates with provided credentials, checks the Splunk version, and sends a crafted request to modify the target user's password.

Description

In versions of Splunk Enterprise below 9.0.5, 8.2.11, and 8.1.14, and Splunk Cloud Platform below version 9.0.2303.100, a low-privileged user who holds a role that has the ‘edit_user’ capability assigned to it can escalate their privileges to that of the admin user by providing specially crafted web requests.

Exploits (3)

exploitdb WORKING POC
by Redway Security · pythonwebappsmultiple
https://www.exploit-db.com/exploits/51747

This exploit leverages CVE-2023-32707 to escalate privileges in Splunk by changing the password of a target user (e.g., admin) if the attacker's role has the 'edit_user' capability. It authenticates with provided credentials, checks the Splunk version, and sends a crafted request to modify the target user's password.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Splunk Enterprise below 9.0.5, 8.2.11, and 8.1.14
Auth required
Prerequisites: Valid low-privilege Splunk credentials with 'edit_user' capability · Network access to Splunk management port (default 8089)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by 9xN · poc
https://github.com/9xN/CVE-2023-32707

This is a functional exploit for CVE-2023-32707, which allows a low-privilege Splunk user with the 'edit_user' capability to escalate privileges by resetting the password of any target user, including admin accounts. The exploit automates the process by authenticating, checking version vulnerability, and forcing a password change via Splunk's REST API.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Splunk versions 8.1.0-8.1.13, 8.2.0-8.2.10, 9.0.0-9.0.4
Auth required
Prerequisites: Valid low-privilege Splunk credentials with 'edit_user' capability · Network access to Splunk management port (default 8089)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Mr Hack (try_to_hack) Santiago Lopez, Heyder Andrade, Redway Security <redwaysecurity.com> · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/splunk_privilege_escalation_cve_2023_32707.rb

This Metasploit module exploits CVE-2023-32707, a privilege escalation vulnerability in Splunk where a low-privileged user with the 'edit_user' capability can escalate to admin by changing the admin password and uploading a malicious app for RCE.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Splunk < 9.0.5, 8.2.11, and 8.1.14
Auth required
Prerequisites: Valid credentials for a user with 'edit_user' capability · Network access to Splunk management port (default: 8000)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 8.8
EPSS 0.7354
EPSS Percentile 99.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-285
Status published
Products (2)
splunk/splunk 8.1.0 - 8.1.14
splunk/splunk_cloud_platform < 9.0.2303.100
Published Jun 01, 2023
Tracked Since Feb 18, 2026