What is CVE-2022-43571?

A high-severity vulnerability in Splunk Enterprise allows authenticated users to execute arbitrary code through the dashboard PDF generation component. Immediate patching is required for affected versions.

What is the severity of CVE-2022-43571?

CVE-2022-43571 has a severity rating of HIGH with a CVSS base score of 8.8.

CVE-2022-43571 | High Vulnerability in Splunk Enterprise

In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can execute arbitrary code through the dashboard PDF generation component. This vulnerability allows attackers to leverage the system for unauthorized execution of commands, posing a significant risk to organizations using these versions.

The CVSS score for this vulnerability is 8.8, categorizing it as high severity. Organizations should be aware of the potential impact, which includes unauthorized access and execution of code, compromising both confidentiality and integrity.

Risk to organizations includes the possibility of data breaches and system compromise through arbitrary code execution. Given the nature of the vulnerability, organizations should prioritize patching immediately.

Currently, there is a known exploit for this vulnerability, and organizations are urged to update their systems without delay to mitigate risks associated with potential exploitation.

Vulnerability Details

The vulnerability, identified as CVE-2022-43571, was published on November 3, 2022. It allows authenticated users to execute arbitrary code, categorized under CWE-94 (Improper Control of Generation of Code ('Code Injection')). The vulnerability affects various versions of Splunk Enterprise and the Splunk Cloud Platform.

The CVSS score is based on a network attack vector (AV:N), low attack complexity (AC:L), and requires low privileges (PR:L), with no user interaction needed (UI:N). The impacts on confidentiality, integrity, and availability are all rated as high.

Technical Analysis

The root cause of this vulnerability lies in the dashboard PDF generation component of Splunk, where improper validation of user input allows arbitrary code execution. The attack vector is network-based, meaning that an attacker only needs network access to exploit the vulnerability.

Given the low attack complexity, an attacker can exploit this vulnerability with minimal effort. The required privileges are low, as an authenticated user can leverage this flaw without needing elevated access. Additionally, the exploit does not require user interaction.

Risk & Impact Analysis

The real-world deployment risk associated with this vulnerability is significant. Organizations using affected versions of Splunk are at risk of unauthorized code execution, potentially leading to data loss or system outages. The blast radius is considerable, as the vulnerability affects multiple versions and both the Splunk Enterprise and Cloud platforms.

Organizations should assess their exposure to this vulnerability and prioritize remediation efforts based on the CVSS score of 8.8, indicating a high urgency for patching. The EPSS score of 0.752 suggests a high likelihood of exploitation, further emphasizing the need for immediate action.

Exploitation Status

Signal	Status
Known Exploit	Yes
Public PoC	Yes
Actively Exploited	No
Ransomware Use	No

Affected Versions

The affected versions include Splunk Enterprise versions prior to 8.2.9, 8.1.12, and 9.0.2. Additionally, the Splunk Cloud Platform is vulnerable if it is below version 9.0.2209. Organizations should ensure that they are using the latest patched versions to mitigate this risk.

Mitigation & Remediation

Organizations should apply the latest patches available for Splunk to remediate this vulnerability. The version to upgrade to is Splunk Enterprise 8.2.9 or later, 8.1.12 or later, and 9.0.2 or later. If an immediate upgrade is not feasible, consider implementing network controls to limit access to the vulnerable component and monitor logs for unusual activities.

For further information on applying security updates, organizations can refer to the resources on application security assessment.

Detection Guidance

To detect potential exploitation of this vulnerability, organizations should monitor logs for unexpected errors related to PDF generation and check for unusual endpoint behavior. Additionally, network traffic to the Splunk server should be analyzed for anomalous patterns that may indicate attempts to exploit the vulnerability.

AppSecure Threat Intelligence Insight

This vulnerability highlights the importance of secure coding practices, particularly in components that handle user inputs. Organizations can learn from this incident to improve their security posture against similar vulnerabilities in the future.

To explore more about secure coding practices, organizations can refer to our secure coding practices guide and consider implementing a vulnerability management program to enhance their defenses.

Lastly, organizations should consider engaging in penetration testing to proactively identify and remediate similar vulnerabilities in their systems.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2022-43571: High Vulnerability in Splunk Enterprise