A critical remote code execution vulnerability in Splunk Enterprise and related products allows low-privileged users to execute arbitrary code via malicious JSON input.

The vulnerability is caused by the unsafe deserialization of App Key Value Store data using the 'jsonpickle' Python library. A low-privileged user can leverage this via the Splunk Secure Gateway app to execute arbitrary code.

With a CVSS score of 8.8, this flaw represents a significant risk, enabling remote code execution from a low-privileged context. This could allow an attacker to escalate privileges, access sensitive logs and data, or pivot deeper into the corporate network, directly impacting the confidentiality and integrity of the Splunk installation.

Immediate Action: Apply the specific patches provided by Splunk for the affected versions of Splunk Enterprise, Cloud, and Secure Gateway immediately.

Proactive Monitoring: Monitor for suspicious activity involving the jsonpickle library or unusual API calls to the Splunk Secure Gateway app.

Compensating Controls: Restrict access to the Splunk Secure Gateway application and limit the permissions of low-privileged accounts to prevent them from interacting with sensitive app configurations.

Public Exploit Available: false

The ability for a low-privileged user to achieve remote code execution makes this a high-priority vulnerability. Organizations must audit their Splunk environments and apply the vendor-recommended updates across all affected components without delay.