A high-severity vulnerability was uncovered in Splunk Universal Forwarder for Windows that compromises directory access controls.
The flaw, designated CVE-2025-20298 with a CVSSv3.1 score of 8.0, affects multiple versions of the software and poses significant security risks to enterprise environments relying on Splunk’s data forwarding capabilities.
The vulnerability stems from incorrect permission assignment during the installation or upgrade of Universal Forwarder for Windows.
This security flaw is classified under CWE-732 (Incorrect Permission Assignment for Critical Resource), indicating a fundamental issue with access control mechanisms.
The vulnerability manifests when Universal Forwarder for Windows versions below 9.4.2, 9.3.4, 9.2.6, and 9.1.9 are newly installed or upgraded to an affected version.
During these processes, the installation directory—typically located at C:\Program Files\SplunkUniversalForwarder—receives incorrect permissions that allow non-administrator users to access the directory and all its contents.
This represents a significant breach of the principle of least privilege, a cornerstone of enterprise security frameworks.
The CVSSv3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H indicates that while the attack requires low-level privileges and user interaction, it can result in high impact across confidentiality, integrity, and availability.
The network attack vector component suggests potential for remote exploitation under certain circumstances.
The scope of this vulnerability is considerable, affecting four major release branches of Splunk Universal Forwarder for Windows.
Specifically, the vulnerability impacts versions in the 9.4 branch below 9.4.2, the 9.3 branch below 9.3.4, the 9.2 branch below 9.2.6, and the 9.1 branch below 9.1.9.
A critical vulnerability in ModSecurity’s Apache module has been disclosed, potentially exposing millions of web servers worldwide to denial-of-service attacks.
The flaw, tracked as CVE-2025-47947 and assigned a CVSS score of 7.5, affects the popular open-source web application firewall’s handling of JSON payloads under specific conditions.
Security researchers have confirmed that attackers can exploit this vulnerability with minimal effort, requiring only a single crafted request to consume excessive server memory and potentially crash targeted systems.
ModSecurity DoS Flaw (CVE-2025-47947)
The vulnerability was initially reported in March 2025 by Simon Studer from Netnea on behalf of Swiss Post, though it took several months for developers to successfully reproduce and understand the root cause.
CVE-2025-47947 specifically affects mod_security2, the Apache module version of ModSecurity, while the newer libmodsecurity3 implementation remains unaffected.
The flaw emerges when two specific conditions are met simultaneously: the incoming payload must have a Content-Type of application/json, and there must be at least one active rule utilizing the sanitiseMatchedBytes action.