Skip to main content


Remote Code Execution via the Splunk Secure Gateway application Mobile Alerts feature

Advisory ID: SVD-2022-1107

Published: 2022-11-02

CVSSv3.1 Score: 8.8, High

CWE: CWE-502

CVE ID: CVE-2022-43567

Last Update: 2022-11-02

CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Bug ID: SPL-226837


In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run arbitrary operating system commands remotely through the use of specially crafted requests to the mobile alerts feature in the Splunk Secure Gateway app.


For Splunk Enterprise, upgrade versions to 8.1.12, 8.2.9, 9.0.2, or higher.

For Splunk Cloud Platform versions below 9.0.2205, Splunk is actively patching and monitoring the Splunk Cloud instances. To request an immediate upgrade, determine which version of Splunk Cloud Platform you're running, then create a new support case.

Product Status

ProductVersionComponentAffected VersionFixed Version
Splunk Enterprise8.1Splunk Secure Gateway8.1.11 and lower8.1.12
Splunk Enterprise8.2Splunk Secure Gateway
8.2.0 to
Splunk Enterprise9.0Splunk Secure Gateway
9.0.0 to
Splunk Cloud Platform-Splunk Secure Gateway
9.0.2203.4 and lower9.0.2205

Mitigations and Workarounds

The vulnerability requires access to the Splunk Secure Gateway app. Removing, disabling, or uninstalling the app or restricting access to the app to administrators remediates the vulnerability. For more information on managing apps, see Manage app and add-on objects.


Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature

This detection search provides information on possible exploitation attempts against the Splunk Secure Gateway App Mobile Alerts feature.


Splunk rates the vulnerability as High, 8.8, with a CVSS Vectors of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability lets a remote authenticated user execute arbitrary code on the server. If you removed the Splunk Secure Gateway app or restricted access to the app to administrators, there is no impact and the severity is Informational.


Danylo Dmytriiev (DDV_UA)

Questions? Submit your question to Splunk Support.