EUVD-2025-16672

| CVE-2025-20298 HIGH
2025-06-02 [email protected]
8.0
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 14, 2026 - 16:47 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 16:47 euvd
EUVD-2025-16672
CVE Published
Jun 02, 2025 - 18:15 nvd
HIGH 8.0

Tags

Splunk Windows Microsoft Privilege Escalation Information Disclosure Universal Forwarder

Description

In Universal Forwarder for Windows versions below 9.4.2, 9.3.4, 9.2.6, and 9.1.9, a new installation of or an upgrade to an affected version can result in incorrect permissions assignment in the Universal Forwarder for Windows Installation directory (by default, C:\Program Files\SplunkUniversalForwarder). This lets non-administrator users on the machine access the directory and all its contents.

Analysis

Privilege escalation vulnerability in Splunk Universal Forwarder for Windows where incorrect file system permissions are assigned during installation or upgrade, allowing non-administrator users to read and modify sensitive files in the installation directory. This affects versions below 9.4.2, 9.3.4, 9.2.6, and 9.1.9, and could enable unauthorized access to credentials, configuration files, and system monitoring data. While CVSS 8.0 indicates high severity, real-world exploitation requires local access and user interaction (UI requirement per vector), limiting attack scope.

Technical Context

This vulnerability stems from CWE-732 (Incorrect Permission Assignment for Critical Resource), where the Universal Forwarder installer/upgrade process fails to properly restrict NTFS ACLs on the installation directory and nested folders. By default, C:\Program Files\SplunkUniversalForwarder and its contents (including configuration files, credential stores, and binaries) are left with overly permissive access controls, allowing any authenticated local user to enumerate and potentially modify them. The affected CPE range is cpe:2.7:a:splunk:universal_forwarder:*:*:*:*:*:windows:*. This is distinct from UAC bypass vulnerabilities—it's a post-installation security configuration flaw affecting Windows NTFS permissions, not privilege escalation during execution.

Affected Products

Splunk Universal Forwarder for Windows (['< 9.4.2', '< 9.3.4 (9.3.x branch)', '< 9.2.6 (9.2.x branch)', '< 9.1.9 (9.1.x branch)'])

Remediation

- action: Upgrade to patched versions; versions: ['9.4.2 or later', '9.3.4 or later', '9.2.6 or later', '9.1.9 or later']; details: Apply the latest patch version matching your release branch. Splunk advisory should be consulted at https://www.splunk.com/en_us/product-security.html for official patch links. - action: Manual ACL remediation (interim workaround); steps: ['On affected systems, manually correct NTFS permissions on C:\\Program Files\\SplunkUniversalForwarder', 'Restrict access to Administrators and SYSTEM only', "Remove implicit 'Users' group read/write access via icacls or Group Policy", 'Verify with: icacls "C:\\Program Files\\SplunkUniversalForwarder" /T']; caveat: Workaround does not address root cause; patching is required. - action: Restrict standard user permissions; details: Implement Group Policy or local security policy to prevent standard users from accessing Program Files directories via NTFS permissions or AppLocker rules (defense-in-depth).

Priority Score

40
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +40
POC: 0

Share

EUVD-2025-16672 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy