CVE-2025-20384

MEDIUM

Splunk <10.0.1-9.2.10 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-20384. PoCs published by Axselll.

AI-analyzed exploit summary This PoC demonstrates a log injection vulnerability in Splunk by appending malicious parameters to a static file request, which can poison logs with forged entries. The exploit uses a simple GET request to test for vulnerability.

Description

In Splunk Enterprise versions below 10.0.1, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.4, 10.0.2503.6, and 9.3.2411.117.125, an unauthenticated attacker can inject American National Standards Institute (ANSI) escape codes into Splunk log files due to improper validation at the /en-US/static/ web endpoint. This may allow them to poison, forge, or obfuscate sensitive log data through specially crafted HTTP requests, potentially impacting log integrity and detection capabilities.

Exploits (1)

nomisec WORKING POC
by Axselll · poc
https://github.com/Axselll/CVE-2025-20384

This PoC demonstrates a log injection vulnerability in Splunk by appending malicious parameters to a static file request, which can poison logs with forged entries. The exploit uses a simple GET request to test for vulnerability.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Splunk (version not specified)
No auth needed
Prerequisites: Access to the Splunk web interface · Network connectivity to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 5.3
EPSS 0.0034
EPSS Percentile 25.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-117
Status published
Products (3)
splunk/splunk 10.0.0
splunk/splunk 9.2.0 - 9.2.10
splunk/splunk_cloud_platform 9.3.2411 - 9.3.2411.117
Published Dec 03, 2025
Tracked Since Feb 18, 2026