ORGANISATIONS running Splunk Enterprise are being urged to apply updates after CISA added CVE‑2026‑20253 to its Known Exploited Vulnerabilities catalogue following confirmed active exploitation in the wild. The flaw affects releases prior to 10.2.4 and 10.0.7 and permits unauthenticated remote code execution through the PostgreSQL sidecar service. Successful compromise can lead to full control of the affected Splunk deployment.
CVE‑2026‑20253 carries a CVSS score of 9.8 and stems from missing authentication checks on the PostgreSQL sidecar endpoint, allowing an attacker to issue arbitrary file operations and retrieve administrative passwords during restore procedures according to Splunk’s advisory. Versions 10.2.4 and 10.0.7 include the necessary fixes, while earlier releases remain vulnerable. The attack chain requires no prior credentials and can be launched from the network where the Splunk instance is reachable.
Security researchers first observed the exploit in early June and the vulnerability has since been incorporated into exploit frameworks targeting exposed Splunk services as reported by securityonline.info. Although no specific threat actor has been attributed to the activity, the ease of exploitation raises the risk of opportunistic attacks against internet‑facing installations. The vulnerability is being tracked alongside other high‑severity issues disclosed for Splunk Enterprise.
The activity follows a recent wave of critical flaws in enterprise software, including a separately tracked critical issue in Check Point VPN identified as CVE‑2026‑50751 that is also under active exploitation noted by securityonline.info. Defenders should treat the Splunk flaw as a priority because it provides a direct path to privilege escalation and data theft without needing to bypass authentication layers. The availability of a public proof‑of‑concept increases the likelihood of broader scanning campaigns.
Once inside, an attacker can write files to the Splunk filesystem, modify configuration files and extract clear‑text passwords used for internal authentication, effectively granting persistent access. This capability can be leveraged to deploy additional malware, exfiltrate indexes or pivot to other systems within the trusted network. The lack of authentication means that even segmented environments are at risk if the sidecar service is exposed to any reachable host.
Administrators should immediately upgrade Splunk Enterprise to version 10.2.4 or 10.0.7 or later, which contain the patch for CVE‑2026‑20253 as highlighted by securityweek.com. If patching cannot be performed without delay, the PostgreSQL sidecar service should be disabled or blocked at the firewall as a temporary mitigation while testing the update in a staging environment.
In addition to applying the update, organisations should review authentication logs for unexpected file creation events, restrict network access to the Splunk management ports to known trusted addresses and enforce the principle of least privilege on service accounts. Keeping an eye on related identifiers such as CVE‑2026‑20251 and CVE‑2026‑20252 will help defend against chained exploits, and subscribing to the CISA KEV feed ensures timely notice of any future additions.