CVE-2025-20387 Overview
CVE-2025-20387 affects Splunk Universal Forwarder for Windows. A new installation or upgrade to an affected version assigns incorrect permissions [CWE-732] to the Universal Forwarder installation directory. Non-administrator users on the host can access the directory and all of its contents.
The issue impacts versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10. Splunk published advisory SVD-2025-1206 to track the vulnerability. The flaw allows local, low-privileged users to read sensitive configuration data, including forwarder credentials, certificates, and indexer destinations stored under the installation path.
Critical Impact
Non-administrator users on Windows hosts running affected Universal Forwarder versions can read the entire installation directory, exposing credentials, certificates, and configuration files used to communicate with Splunk indexers.
Affected Products
- Splunk Universal Forwarder for Windows versions below 10.0.2
- Splunk Universal Forwarder for Windows versions below 9.4.6, 9.3.8, and 9.2.10
- Windows hosts where a new install or in-place upgrade to an affected version was performed
Discovery Timeline
- 2025-12-03 - CVE-2025-20387 published to NVD
- 2025-12-05 - Last updated in NVD database
Technical Details for CVE-2025-20387
Vulnerability Analysis
The Universal Forwarder installer for Windows applies improper access control list (ACL) settings to its installation directory during new installs and upgrades. The directory inherits or receives permissions that grant read access to standard, non-administrator user accounts on the local machine.
The installation directory contains files that should remain restricted to SYSTEM and the local Administrators group. These include authentication.conf, server.conf, outputs.conf, certificate stores, and the passwd file containing hashed credentials. Read access by any local user breaks the confidentiality boundary the forwarder relies on.
The weakness is categorized as Incorrect Permissions Assignment for Critical Resource [CWE-732]. Exploitation requires only a local user session and no special privileges beyond standard interactive logon.
Root Cause
The Windows installer fails to set restrictive ACLs on the target directory. Instead of limiting access to administrative principals, the directory permissions allow members of BUILTIN\Users to traverse and read child objects. The same defect occurs whether the operation is a fresh install or an upgrade over a prior version.
Attack Vector
An attacker with a non-administrator account on a Windows host running an affected Universal Forwarder version browses the installation directory and reads configuration files. The attacker extracts forwarder keys, certificates, and credential material used to authenticate to Splunk indexers or deployment servers. The recovered material can support lateral movement within the Splunk ingestion path or impersonation of the forwarder.
For exploitation steps and configuration file locations, see the Splunk Security Advisory SVD-2025-1206.
Detection Methods for CVE-2025-20387
Indicators of Compromise
- Read access events from non-administrator accounts targeting files under C:\Program Files\SplunkUniversalForwarder\etc\ or the configured install path
- Access attempts on passwd, server.conf, outputs.conf, and certificate files by users not in the local Administrators group
- Unexpected forwarder authentication failures or duplicate forwarder connections to indexers, which may indicate stolen credentials in use
Detection Strategies
- Audit the ACLs on the Universal Forwarder installation directory using icacls "C:\Program Files\SplunkUniversalForwarder" and flag entries granting access to BUILTIN\Users or Authenticated Users
- Enable Windows object access auditing (Event ID 4663) on the installation directory and alert on reads by non-administrative SIDs
- Inventory installed Universal Forwarder versions across the fleet and identify hosts running versions below the fixed builds
Monitoring Recommendations
- Forward Windows Security and Sysmon logs from forwarder hosts to a central SIEM and build a rule for non-admin reads of forwarder configuration files
- Track new forwarder registrations and deployment server checkins for anomalies in source host, certificate fingerprint, or GUID
- Schedule recurring ACL drift checks against the install path and alert on deviation from a hardened baseline
How to Mitigate CVE-2025-20387
Immediate Actions Required
- Upgrade Splunk Universal Forwarder for Windows to 10.0.2, 9.4.6, 9.3.8, 9.2.10, or later as documented in SVD-2025-1206
- Manually restrict ACLs on the installation directory to SYSTEM and the local Administrators group on every affected host
- Rotate any forwarder credentials, tokens, and certificates that may have been exposed to local users
Patch Information
Splunk addressed the issue in Universal Forwarder for Windows versions 10.0.2, 9.4.6, 9.3.8, and 9.2.10. Patched installers apply correct restrictive permissions on the installation directory during install and upgrade. Review the Splunk Security Advisory SVD-2025-1206 for full version mapping and download links.
Workarounds
- Apply restrictive ACLs manually using icacls to remove read access for BUILTIN\Users and Authenticated Users on the Universal Forwarder install path
- Limit interactive and remote logon rights on forwarder hosts to administrative personnel only
- Treat any credentials or certificates stored on unpatched hosts as compromised and reissue them after patching
# Remove non-admin read access from the Universal Forwarder install directory
icacls "C:\Program Files\SplunkUniversalForwarder" /remove:g "BUILTIN\Users"
icacls "C:\Program Files\SplunkUniversalForwarder" /remove:g "Authenticated Users"
icacls "C:\Program Files\SplunkUniversalForwarder" /inheritance:r
icacls "C:\Program Files\SplunkUniversalForwarder" /grant:r "SYSTEM:(OI)(CI)F" "BUILTIN\Administrators:(OI)(CI)F"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
