Active Exploit of Unauthenticated RCE in Splunk Enterprise (CVE-2026-20253)
▼ Summary
– CISA added CVE-2026-20253 to its Known Exploited Vulnerabilities catalog and ordered US federal agencies to apply mitigations by June 21, 2026.
– The vulnerability in Splunk Enterprise allows unauthenticated attackers to create or truncate arbitrary files via a PostgreSQL sidecar service endpoint lacking authentication controls.
– Exploitation could lead to full system compromise, including access to security data, stored credentials, and pivoting to internal systems.
– Splunk released patches on June 10, 2026, urging upgrades to versions 10.4.0, 10.2.4, or 10.0.7 and higher.
– Disabling the PostgreSQL sidecar service can mitigate the flaw, though it may affect some functionality.
CISA has officially added CVE-2026-20253, a critical unauthenticated remote code execution vulnerability in Splunk Enterprise, to its Known Exploited Vulnerabilities catalog. Federal civilian agencies are now required to apply mitigations by June 21, 2026.
Both the vendor and Resecurity have confirmed active exploitation in the wild. The severity of this flaw, which can lead to full system compromise, means organizations should prioritize patching immediately and review their environments for signs of compromise. Key indicators include:
- Requests containing path traversal sequences, such as `../`Splunk Enterprise serves as a central platform for IT monitoring and security (SIEM). It collects logs and data from across an organization’s IT systems, indexes them, and enables rapid search using its proprietary query language (SPL). This makes it essential for dashboards, alerts, and incident investigation.According to the security advisory published on June 10, 2026, “In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.” The PostgreSQL sidecar service handles database backup and recovery operations. The vulnerability arises because this endpoint lacks authentication controls, allowing attackers who reach the service to invoke file operations without valid credentials.Attackers can exploit CVE-2026-20253 to execute arbitrary code and achieve full control over the Splunk application environment. This enables them to access, tamper with, or delete security data; expose stored credentials; and pivot to other internal systems. “Given Splunk’s central role in security monitoring and operational intelligence, compromise of the platform can significantly reduce organizational visibility, allowing additional malicious activity to proceed undetected,” Resecurity researchers warned.Splunk released patches on June 10, urging customers to upgrade to a fixed version: 10.4.0, 10.2.4, or 10.0.7 (or higher). On June 12, watchTowr researchers published a technical deep-dive and a “neutered” version of the exploit, which organizations can use to test their own deployments. A Nuclei detection template is also publicly available.On June 15, Splunk confirmed that disabling the PostgreSQL sidecar service can mitigate the vulnerability, though some functionality may be affected. Organizations should act quickly to secure their environments.