**Splunk Windows Flaw Lets Users Bypass Admin Controls**

A high-severity vulnerability in Splunk’s Universal Forwarder for Windows is exposing enterprise systems to unauthorized access by non-administrator users. Tracked as CVE-2025-20298 with a CVSS v3.1 score of 8.0, the flaw stems from incorrect permission settings applied during installation or upgrade processes. Affected versions include branches 9.4 (below 9.4.2), 9.3 (below 9.3.4), 9.2 (below 9.2.6), and 9.1 (below 9.1.9).

The issue allows local users without administrative rights to access and potentially alter contents of the installation directory, undermining the principle of least privilege. This could lead to configuration tampering, data exposure, or service disruption. Splunk urges customers to upgrade immediately or apply a temporary mitigation using the Windows icacls.exe command to remove improper permissions.

The flaw, classified under CWE-732, impacts critical enterprise logging infrastructure, with potential consequences for compliance, monitoring, and data integrity. Remote exploitation may be possible under certain conditions.