UniversalForwarder

by Splunk, Inc.v10.4.0

Last updated Jun 8, 2026

The universal forwarder collects data from a data source or another forwarder and sends it to a forwarder or a Splunk deployment. With a universal forwarder, you can send data to Splunk Enterprise, Splunk Light, or Splunk Cloud.

Visit homepage

Install with winget

$ winget install --id Splunk.UniversalForwarder --exact --version 10.4.0

Run in Command Prompt, PowerShell, or Windows Terminal. Prompts for any agreements.

Silent install command for UniversalForwarder

UniversalForwarder uses MSI (WiX). The silent install switches are /quiet /norestart.

One-line silent install (x64, machine scope)

msiexec.exe /i splunkforwarder-10.4.0-f798d4d49089-windows-x64.msi /quiet /norestart AGREETOLICENSE=YES

See the full silent install reference for UniversalForwarder →

Built by Pckgr

For Intune admins

Stop chasing app updates. Pckgr patches them for you.

Automated application patching for Microsoft Intune. Pckgr keeps a curated library of 1,000+ apps continuously up-to-date in your tenant via Microsoft Graph - no manual repackaging, no chasing vendor sites.

Start free 30-day trial

No credit card required.

Installers · v10.4.0

Architecture	Type	Scope	Install	Download
x64	MSI WiX	machine		Direct

Copy a command tailored to that specific architecture, type, and scope - useful when winget would otherwise pick a different default.

Security

25 known CVEs via NVD

high8.0Patched in wingetCVE-2025-20298affects before 9.1.9, 9.2.6, 9.3.4, 9.4.2Jun 2, 2025
In Universal Forwarder for Windows versions below 9.4.2, 9.3.4, 9.2.6, and 9.1.9, a new installation of or an upgrade to an affected version can result in incorrect permissions assignment in the Universal Forwarder for Windows Installation directory (by default, C:\Program Files...
Vendor advisory
medium5.5Patched in wingetCVE-2023-27538affects before 8.2.12, 9.0.6Mar 30, 2023
An authentication bypass vulnerability exists in libcurl prior to v8.0.0 where it reuses a previously established SSH connection despite the fact that an SSH option was modified, which should have prevented reuse. libcurl maintains a pool of previously used connections to reuse...
medium5.9Patched in wingetCVE-2023-27537affects before 8.2.12, 9.0.6Mar 30, 2023
A double free vulnerability exists in libcurl <8.0.0 when sharing HSTS data between separate "handles". This sharing was introduced without considerations for do this sharing across separate threads but there was no indication of this fact in the documentation. Due to missing mu...
medium5.9Patched in wingetCVE-2023-27536affects before 8.2.12, 9.0.6Mar 30, 2023
An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affec...
medium5.9Patched in wingetCVE-2023-27535affects before 8.2.12, 9.0.6Mar 30, 2023
An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup...
high8.8Patched in wingetCVE-2023-27534affects before 8.2.12, 9.0.6Mar 30, 2023
A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home dir...
high8.8Patched in wingetCVE-2023-27533affects before 8.2.12, 9.0.6Mar 30, 2023
A vulnerability in input validation exists in curl <8.0 during communication using the TELNET protocol may allow an attacker to pass on maliciously crafted user name and "telnet options" during server negotiation. The lack of proper input scrubbing allows an attacker to send con...
medium6.5Patched in wingetCVE-2023-23916affects before 8.2.12, 9.0.6Feb 23, 2023
An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "l...

Showing 8 of 25. Source: NVD, updated 2h ago. Patch status is best-effort: NVD's fix version is compared against the latest version in winget, but the two version formats don't always align. Confirm with the vendor advisory before treating any specific build as safe.

See a CVE that affects your fleet? Push the patched version to Intune in one click with Pckgr - automated patching is the only way to keep up.

Frequently asked questions

How do I install UniversalForwarder on Windows?

Open Windows Terminal, PowerShell, or Command Prompt and run: winget install --id Splunk.UniversalForwarder --exact --version 10.4.0. winget downloads the installer from Splunk, Inc. and runs it. Requires Windows 10 (1809+) or Windows 11.

How do I install UniversalForwarder silently for unattended deployment?

Add --silent and accept the agreements upfront: winget install --id Splunk.UniversalForwarder --exact 10.4.0 --silent --accept-package-agreements --accept-source-agreements. This is the variant Intune, Configuration Manager, and other deployment tools should use.

What are the silent install switches for UniversalForwarder?

UniversalForwarder uses MSI (WiX). Run the downloaded installer with: msiexec.exe /i splunkforwarder-10.4.0-f798d4d49089-windows-x64.msi /quiet /norestart AGREETOLICENSE=YES. The silent switches are /quiet /norestart.

How do I uninstall UniversalForwarder via winget?

Run: winget uninstall --id Splunk.UniversalForwarder --exact. Add --silent for unattended uninstalls. winget will use the registered uninstaller from UniversalForwarder's Apps & Features entry.

Is UniversalForwarder free?

UniversalForwarder is distributed under Proprietary. Refer to the publisher (https://www.splunk.com/en_us/download/universal-forwarder.html) for the full license terms - Wingetly itself does not charge for installation.

Does UniversalForwarder work on Windows 10?

Yes, as long as your Windows 10 build supports winget (1809 or newer). winget ships with App Installer on Windows 10/11 and pulls UniversalForwarder directly from the publisher.

How do I keep UniversalForwarder up to date?

Run winget upgrade --id Splunk.UniversalForwarder --exact, or winget upgrade --all to update everything winget tracks. We index 10 versions of UniversalForwarder from microsoft/winget-pkgs.

Recent versions

10.4.0latest
10.2.3
10.2.2
10.2.1
10.2.0
10.0.2
10.0.1
10.0.0
9.4.4
9.4.3