Splunk Enterprise <9.4.3 – Low-Priv User Can Disable Bucket Copy Trigger
CVE-2025-20323 Published on July 7, 2025
Missing Access Control of Saved Searches in the Splunk Archiver app
In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, a low-privileged user that does not hold the "admin" or "power" Splunk roles could turn off the scheduled search `Bucket Copy Trigger` within the Splunk Archiver application. This is because of missing access controls in the saved searches for this app.
Weakness Type
What is an Authorization Vulnerability?
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CVE-2025-20323 has been classified to as an Authorization vulnerability or weakness.
Products Associated with CVE-2025-20323
Want to know whenever a new CVE is published for Splunk? stack.watch will email you.
Affected Versions
Splunk Enterprise:- Version 9.4 and below 9.4.3 is affected.
- Version 9.3 and below 9.3.5 is affected.
- Version 9.2 and below 9.2.7 is affected.
- Version 9.1 and below 9.1.10 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.