Skip to main content

Windows CVE-2025-20298

| EUVDEUVD-2025-16672 HIGH
Incorrect Permission Assignment for Critical Resource (CWE-732)
2025-06-02 psirt@cisco.com
8.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.0 HIGH
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:45 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
9.2.6,9.1.9,9.3.4
EUVD ID Assigned
Mar 14, 2026 - 16:47 euvd
EUVD-2025-16672
Analysis Generated
Mar 14, 2026 - 16:47 vuln.today
CVE Published
Jun 02, 2025 - 18:15 nvd
HIGH 8.0

DescriptionCVE.org

In Universal Forwarder for Windows versions below 9.4.2, 9.3.4, 9.2.6, and 9.1.9, a new installation of or an upgrade to an affected version can result in incorrect permissions assignment in the Universal Forwarder for Windows Installation directory (by default, C:\Program Files\SplunkUniversalForwarder). This lets non-administrator users on the machine access the directory and all its contents.

AnalysisAI

Privilege escalation vulnerability in Splunk Universal Forwarder for Windows where incorrect file system permissions are assigned during installation or upgrade, allowing non-administrator users to read and modify sensitive files in the installation directory. This affects versions below 9.4.2, 9.3.4, 9.2.6, and 9.1.9, and could enable unauthorized access to credentials, configuration files, and system monitoring data. While CVSS 8.0 indicates high severity, real-world exploitation requires local access and user interaction (UI requirement per vector), limiting attack scope.

Technical ContextAI

This vulnerability stems from CWE-732 (Incorrect Permission Assignment for Critical Resource), where the Universal Forwarder installer/upgrade process fails to properly restrict NTFS ACLs on the installation directory and nested folders. By default, C:\Program Files\SplunkUniversalForwarder and its contents (including configuration files, credential stores, and binaries) are left with overly permissive access controls, allowing any authenticated local user to enumerate and potentially modify them. The affected CPE range is cpe:2.7:a:splunk:universal_forwarder:*:*:*:*:*:windows:*. This is distinct from UAC bypass vulnerabilities—it's a post-installation security configuration flaw affecting Windows NTFS permissions, not privilege escalation during execution.

RemediationAI

  • action: Upgrade to patched versions; versions: ['9.4.2 or later', '9.3.4 or later', '9.2.6 or later', '9.1.9 or later']; details: Apply the latest patch version matching your release branch. Splunk advisory should be consulted at https://www.splunk.com/en_us/product-security.html for official patch links.
  • action: Manual ACL remediation (interim workaround); steps: ['On affected systems, manually correct NTFS permissions on C:\\Program Files\\SplunkUniversalForwarder', 'Restrict access to Administrators and SYSTEM only', "Remove implicit 'Users' group read/write access via icacls or Group Policy", 'Verify with: icacls "C:\\Program Files\\SplunkUniversalForwarder" /T']; caveat: Workaround does not address root cause; patching is required.
  • action: Restrict standard user permissions; details: Implement Group Policy or local security policy to prevent standard users from accessing Program Files directories via NTFS permissions or AppLocker rules (defense-in-depth).
CVE-2021-40444 HIGH POC
8.8 Sep 15

Windows MSHTML component contains a remote code execution vulnerability that allows attackers to craft malicious ActiveX

CVE-2021-1732 HIGH POC
7.8 Feb 25

Windows Win32k contains an out-of-bounds write vulnerability enabling local privilege escalation to SYSTEM, exploited by

CVE-2018-8174 HIGH POC
7.5 May 09

The Windows VBScript engine contains a remote code execution vulnerability in object handling that allows full system co

CVE-2019-0803 HIGH POC
7.8 Apr 09

Windows Win32k fails to properly handle objects in memory, allowing local privilege escalation exploited in the wild in

CVE-2020-1472 MEDIUM POC
5.5 Aug 17

A privilege escalation vulnerability (CVSS 5.5). Risk factors: actively exploited (KEV-listed), EPSS 94% exploitation pr

CVE-2024-30088 HIGH
7.0 Jun 11

Windows Kernel contains a TOCTOU race condition vulnerability allowing local privilege escalation, exploited by the OilR

CVE-2025-33053 HIGH POC
8.8 Jun 10

Windows Internet Shortcut Files (.url) contain an external control vulnerability (CVE-2025-33053, CVSS 8.8) that enables

CVE-2025-33073 HIGH POC
8.8 Jun 10

Windows SMB contains an improper access control vulnerability (CVE-2025-33073, CVSS 8.8) enabling authenticated attacker

CVE-2025-13315 CRITICAL POC
9.3 Nov 19

Twonky Server 8.5.2 on Linux and Windows allows unauthenticated access to the admin log file through a web service API b

CVE-2025-34101 CRITICAL POC
9.3 Jul 10

Serviio Media Server versions 1.4 through 1.8 on Windows contain an unauthenticated command injection in the /rest/actio

CVE-2025-13316 HIGH POC
8.2 Nov 19

Twonky Server 8.5.2 uses hard-coded cryptographic keys for encrypting the administrator password. Combined with the cred

CVE-2025-34095 CRITICAL POC
9.3 Jul 10

Mako Server versions 2.5 and 2.6 contain an unauthenticated OS command injection via the tutorial interface at examples/

Share

CVE-2025-20298 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy