Critical Splunk Enterprise Vulnerability Exploited Days After Disclosure

Post Views: 5

Critical Splunk Enterprise Vulnerability Exploited Shortly After Public Disclosure

Vulnerability Overview

A severe flaw in Splunk Enterprise has been actively exploited by threat actors within days of its public disclosure, prompting urgent recommendations for immediate remediation. The vulnerability, designated CVE-2026-20253, allows unauthenticated users to manipulate files through a PostgreSQL sidecar service endpoint.

Vulnerability Details

According to Splunk’s official advisory, the flaw arises from the absence of authentication mechanisms on this endpoint, enabling any network-accessible user to execute file operations without requiring credentials. The affected software versions include Splunk Enterprise 10.2 prior to 10.2.4 and 10.0 prior to 10.0.7.

Exploitation Timeline

Patches for the vulnerability were released by Splunk on June 10. Within two days of the disclosure, cybersecurity researchers at WatchTowr demonstrated a method for exploiting CVE-2026-20253 to achieve remote code execution, sharing technical documentation and proof-of-concept code. Splunk confirmed the exploitation of the flaw on June 18, noting that the Splunk Product Security Incident Response Team (PSIRT) identified limited instances of its use in attacks during June 2026.

The advisory emphasizes that organizations must update to patched versions to address the risk. While no public details about specific attacks leveraging CVE-2026-20253 have been released, the potential impact on enterprises remains significant.

CISA Involvement

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) included the vulnerability in its Known Exploited Vulnerabilities (KEV) catalog on June 18, mandating federal agencies to resolve the issue by June 21. This marks the first Splunk-related flaw to be added to CISA’s KEV list.

Security Recommendations

The vulnerability’s exploitation highlights the rapid pace at which threat actors target newly disclosed flaws. Organizations using affected Splunk Enterprise versions are advised to apply patches promptly and review their security configurations to mitigate potential risks. No further details about the scope or actors involved in the attacks have been disclosed publicly.