Splunk Enterprise deployment servers in versions before 220.127.116.11, 18.104.22.168, and 9.0 let clients deploy forwarder bundles to other deployment clients through the deployment server. An attacker that compromised a Universal Forwarder endpoint could use the vulnerability to execute arbitrary code on all other Universal Forwarder endpoints subscribed to the deployment server. If you do not run a Deployment Server or use the Deployment Server functionality, the vulnerability is not applicable and is strictly informational.
The Splunk Cloud Platform (SCP) does not offer or use deployment servers and is not affected by the vulnerability. For SCP customers that run deployment servers, upgrade to version 9.0 or higher. At the time of publishing, we have no evidence of exploitation of this vulnerability by external parties.
Upgrade Splunk Enterprise deployment servers to version 22.214.171.124, 126.96.36.199, and 9.0 or later