CISA Warns of Active Exploitation in Splunk Enterprise Vulnerability

Post Views: 21

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning to federal agencies, mandating immediate action to address a critical security flaw in Splunk Enterprise that is currently under active exploitation.

Vulnerability Details

The vulnerability, designated CVE-2026-20253, impacts specific versions of the software and enables unauthorized remote file manipulation through a compromised PostgreSQL sidecar service endpoint.

CVE-2026-20253 Overview

The flaw arises from the absence of authentication mechanisms on the PostgreSQL sidecar service, allowing attackers to execute file operations without credentials.

Impact on Splunk Enterprise

This vulnerability affects Splunk Enterprise versions 10.2.0 through 10.2.3 and 10.0.0 through 10.0.6. Splunk’s security team highlighted that the lack of access controls creates a significant risk for systems exposed to external networks.

CISA’s Directive and Urgency

CISA’s directive, outlined in Binding Operational Directive (BOD) 26-04, requires federal civilian executive branch agencies to remediate the vulnerability by a specified deadline.

Binding Operational Directive (BOD) 26-04

The agency underscored that unpatched systems pose a substantial risk to federal infrastructure, as attackers increasingly target such weaknesses to gain unauthorized access.

Real-World Exploitation

Following the release of security patches by Splunk, a cybersecurity research group named WatchTowr disclosed a proof-of-concept exploit for the vulnerability on June 12. This disclosure coincided with reports of limited real-world exploitation, prompting Splunk to issue an updated advisory on June 18.

Mitigation and Recommendations

To mitigate risks, Splunk recommends temporarily disabling the PostgreSQL sidecar service for administrators unable to apply patches immediately. However, this action may disrupt critical functions such as Edge Processor, OpAmp, and SPL2 data pipelines.

Temporary Workarounds

Splunk’s security team highlighted that the lack of access controls creates a significant risk for systems exposed to external networks.

Best Practices for Organizations

Organizations are advised to review their Splunk deployments, apply available patches, and implement additional safeguards to prevent exploitation of the flaw.

According to data from the Shadowserver Foundation, over 1,400 Splunk instances are publicly accessible online, with the majority located in North America and Europe.