A high-severity vulnerability was uncovered in Splunk Universal Forwarder for Windows that compromises directory access controls.

The flaw, designated CVE-2025-20298 with a CVSSv3.1 score of 8.0, affects multiple versions of the software and poses significant security risks to enterprise environments relying on Splunk’s data forwarding capabilities.

The vulnerability stems from incorrect permission assignment during the installation or upgrade of Universal Forwarder for Windows.
This security flaw is classified under CWE-732 (Incorrect Permission Assignment for Critical Resource), indicating a fundamental issue with access control mechanisms.

The vulnerability manifests when Universal Forwarder for Windows versions below 9.4.2, 9.3.4, 9.2.6, and 9.1.9 are newly installed or upgraded to an affected version.

During these processes, the installation directory—typically located at C:\Program Files\SplunkUniversalForwarder—receives incorrect permissions that allow non-administrator users to access the directory and all its contents.

This represents a significant breach of the principle of least privilege, a cornerstone of enterprise security frameworks.

The CVSSv3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H indicates that while the attack requires low-level privileges and user interaction, it can result in high impact across confidentiality, integrity, and availability.

The network attack vector component suggests potential for remote exploitation under certain circumstances.

The scope of this vulnerability is considerable, affecting four major release branches of Splunk Universal Forwarder for Windows.

Specifically, the vulnerability impacts versions in the 9.4 branch below 9.4.2, the 9.3 branch below 9.3.4, the 9.2 branch below 9.2.6, and the 9.1 branch below 9.1.9.