PALO Alto Networks and Splunk issued security updates on Wednesday that address multiple high‑severity flaws across their platforms, while a separate critical vulnerability in Check Point’s VPN appliances is already being exploited in the wild. The coordinated disclosures highlight the continued risk posed by privileged access flaws and insecure default configurations in widely deployed security and observability tools. Administrators are urged to review the advisories and apply the supplied patches without delay.
Palo Alto’s advisory describes CVE‑2026‑0274, a CVSS 8.1 high‑severity issue affecting the Cortex XSOAR and Cortex XDR platforms that could allow an unauthenticated attacker to read, modify or delete internal resources. The vendor also resolved a collection of lower‑risk defects in its Panorama management console and Cortex Data Lake components, none of which are known to be used in active attacks. Details of the fixes are available in the official security notice here.
Splunk’s release covers several vulnerabilities in Splunk Enterprise. The most severe, CVE‑2026‑20253, carries a CVSS 9.8 critical rating and stems from an inadequately secured PostgreSQL endpoint that permits unauthenticated users to perform arbitrary file operations on the server. A second high‑impact flaw, CVE‑2026‑20251 (CVSS 8.8), enables remote code execution through unsafe deserialization in the Splunk Secure Gateway application. Additional patches resolve CVE‑2026‑20258, a stored cross‑site scripting issue, and CVE‑2026‑20252, a server‑side request forgery weakness. More information can be found in the Splunk advisory here and the SecurityWeek report here.
Separately, Check Point disclosed CVE‑2026‑50751, a CVSS 9.3 critical vulnerability in its Security Gateway VPN blade that is already listed in the Known Exploited Vulnerabilities catalog and being actively exploited. The flaw allows remote attackers to bypass authentication and execute arbitrary code on affected gateways. Check Point has published a patch and recommends immediate application, as noted in the SecurityOnline article here.
Defenders should prioritize installing the updates for Cortex, Splunk Enterprise and Check Point VPN appliances as soon as possible, given the potential for unauthenticated access and remote code execution. After patching, organisations should review access logs for unexpected file write or read events, especially those originating from internal PostgreSQL ports or the Splunk Secure Gateway interface.
Monitoring for anomalous deserialization requests, unusual outbound HTTP requests indicative of SSRF, and unexpected JavaScript payloads can help detect any exploitation attempts that may have occurred prior to patching.
In addition to patching, security teams should consider tightening network controls by limiting exposure of the Splunk management interface and PostgreSQL services to trusted subnets only, enforcing strict authentication on all administrative portals, and deploying web‑application firewall rules to block common XSS and SSRF payloads. Verifying that third‑party libraries bundled with Splunk components are up to date further reduces the chance of chained attacks leveraging outdated dependencies.