An attacker with a low-privileged account that lacks the admin or power Splunk roles can exploit a flaw in temporary file handling to execute arbitrary code on a vulnerable Splunk instance. The vulnerability allows the attacker to upload a malicious file to the apptemp directory under $SPLUNK_HOME/var/run/splunk, where the file is not properly segregated from other users’ data. This can lead to the execution of attacker‑controlled code, compromising the confidentiality, integrity, and availability of the entire Splunk deployment. The weakness is related to improper isolation of temporary resources (CWE‑377).

Vulnerable deployments include Splunk Enterprise versions earlier than 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions earlier than 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127. Any installation that matches these version ranges is at risk if low‑privileged users can upload files to the temporary directory.

The CVSS score of 7.1 indicates a high severity vulnerability. No EPSS score is available, but the lack of a KEV listing does not diminish the potential impact. Though the attacker needs only a non‑admin user, the code execution capability can be abused to gain system‑level access or pivot within the environment. The attack vector is likely to involve the standard file upload mechanism used by Splunk, which does not enforce strict isolation of the apptemp area. If the attacker successfully uploads a crafted file, the system will process it as a legitimate application component, leading to arbitrary code execution.