Splunk has issued a wave of security updates addressing dozens of vulnerabilities, including two major flaws in Splunk Enterprise and the Secure Gateway App that could expose systems to remote attacks and sensitive data leaks.
The enterprise observability giant disclosed the patches on Wednesday, highlighting a high-risk remote code execution (RCE) vulnerability tracked as CVE-2025-20229. With a CVSS score of 8.0, this bug could allow low-privileged users to execute unauthorized code by uploading a malicious file to the $SPLUNK_HOME/var/run/splunk/apptemp directory.
This critical flaw stems from a missing authorization check, making it especially dangerous for organizations that haven’t yet applied the fix. Splunk has resolved the issue in the following versions of Splunk Enterprise: 9.4.0, 9.3.3, 9.2.5, and 9.1.8. Cloud users are covered under Splunk Cloud Platform versions 9.3.2408.104, 9.2.2406.108, 9.2.2403.114, and 9.1.2312.208.
High-Severity Token Exposure in Secure Gateway App
Another serious vulnerability affects both Splunk Enterprise and the Splunk Secure Gateway App. This flaw could result in the exposure of user session and authorization tokens in plaintext within log files.
Splunk confirmed that when the Secure Gateway App interacts with the /services/ssg/secrets REST endpoint, it logs sensitive token data to the splunk_secure_gateway.log file. If a threat actor tricks a user into initiating a browser request—possibly via phishing—they could potentially intercept these tokens. However, Splunk reassures users that the attack can’t be launched without user interaction.
Fixes for this vulnerability have been applied in Splunk Enterprise versions 9.4.1, 9.3.3, 9.2.5, and 9.1.8, and in Secure Gateway versions 3.8.38 and 3.7.23.
For organizations not actively using the Secure Gateway App or related tools like Splunk Mobile, Spacebridge, or Mission Control, Splunk advises that removing or disabling the app can serve as an additional layer of protection.
More Patches Covering Medium and Low-Risk Bugs
In addition to the high-severity issues, Splunk has also fixed several medium-risk vulnerabilities that could allow:
- Unauthorized switching to maintenance mode
- Information leaks
- Bypass of internal safeguards
- Tampering with user data
The company also patched a low-severity issue in the Splunk App for Lookup Editing, alongside multiple vulnerabilities in third-party components used in:
- App for Data Science and Deep Learning
- DB Connect
- Infrastructure Monitoring Add-on
- Splunk Add-on for Microsoft Cloud Services
No Known Exploits Yet, But Immediate Updates Urged
So far, Splunk has not reported any known in-the-wild exploitation of these vulnerabilities. However, security experts strongly recommend that administrators update all affected Splunk Enterprise deployments and relevant apps immediately to stay protected.
More technical details and update instructions can be found on Splunk’s official security advisories page.
