CISA warns Splunk Enterprise flaw CVE-2026-20253 actively exploited
CISA ordered U.S. federal agencies to patch the critical Splunk Enterprise flaw CVE-2026-20253, now exploited in the wild. It lets unauthenticated attackers create or truncate files via an unauthenticated PostgreSQL sidecar endpoint, enabling RCE.
On June 19, 2026, BleepingComputer reported that CISA urged U.S. federal agencies to urgently patch the critical Splunk Enterprise flaw CVE-2026-20253 after evidence of in-the-wild exploitation.
Key points
- Root cause: the PostgreSQL sidecar service endpoint lacks authentication controls, letting any network-reachable user invoke arbitrary file create or truncate operations without credentials.
- Affected versions: Splunk Enterprise 10.2.0–10.2.3 and 10.0.0–10.0.6.
- Exploitation: on June 12, WatchTowr published a technical write-up and PoC code, warning it can be abused for remote code execution (RCE); on June 18 Splunk confirmed limited in-the-wild exploitation.
- CISA action: added to the KEV catalog and mandated FCEB agencies patch under Binding Operational Directive 26-04; Shadowserver tracks over 1,400 internet-exposed Splunk instances.
- Temporary mitigation: disable the PostgreSQL sidecar service — though that breaks Edge Processor, OpAmp or SPL2 data pipelines.
Source
Splunk
#security#CVE#Splunk#CISA#RCE
This summary was written by the ORA·tech AI assistant. Read the original for full context.