INSIGHTS HUB

CyberCase 360 | Splunk Enterprise Pre-Auth RCE Under Active Attack

The first Splunk vulnerability ever added to CISA's KEV — and federal agencies got just three days to patch

On June 18, 2026, CISA added CVE-2026-20253 to its Known Exploited Vulnerabilities catalogue — the first Splunk Enterprise flaw ever to make the list — and invoked Binding Operational Directive 26-04 to order Federal Civilian Executive Branch agencies to remediate by June 21, just three days later. The vulnerability carries a CVSS score of 9.8 and is classified under CWE-306, Missing Authentication for Critical Function.

The root of the flaw is a PostgreSQL sidecar service endpoint in Splunk Enterprise that performs file operations without enforcing any authentication. Any network-reachable user can invoke file creation or truncation on the Splunk host without credentials. As detailed in public technical analysis, the weakness can be chained: an attacker injects a connection string to redirect a database dump to an attacker-controlled host, writes arbitrary files during restore via a lo_export function, locates a plaintext .pgpass credential file, and overwrites the ssg_enable_modular_input.py script to achieve remote code execution as the splunk user.

Splunk released patches on June 10 and urged customers to upgrade to versions 10.0.7, 10.2.4 or 10.4.0. On June 12 — only two days later — watchTowr researchers published a technical deep-dive and a neutered proof-of-concept exploit. The vendor’s PSIRT and Resecurity both confirmed limited in-the-wild exploitation. Shadowserver tracks over 1,400 internet-exposed Splunk instances, the majority in North America (952) and Europe (223), though the proportion currently vulnerable is not publicly known.

The strategic danger is specific to what Splunk does. As Resecurity noted, Splunk sits at the centre of security monitoring and operational intelligence; compromising it lets an attacker access, tamper with, or delete security data, expose stored credentials, and pivot deeper while reducing the organisation’s ability to detect any of it. The tool that is supposed to provide visibility becomes the instrument for removing it.

  1. What Happened
  2. Splunk disclosed CVE-2026-20253 and released patches on June 10, 2026, identifying a missing-authentication flaw in the PostgreSQL sidecar service endpoint that allows an unauthenticated, network-reachable attacker to create or truncate arbitrary files on the Splunk Enterprise host.
  3. The flaw affects Splunk Enterprise versions 10.2 before 10.2.4 and 10.0 before 10.0.7; fixed releases are 10.0.7, 10.2.4 and 10.4.0 or later.
  4. On June 12, 2026, watchTowr published a technical write-up and a neutered proof-of-concept exploit demonstrating the path from file write to remote code execution as the splunk user.
  5. Splunk’s PSIRT confirmed awareness of limited exploitation in the wild, and Resecurity independently confirmed active exploitation, publishing indicators including path-traversal sequences and anomalous PostgreSQL connection parameters.
  6. On June 18, 2026, CISA added CVE-2026-20253 to its KEV catalogue — the first-ever Splunk entry — and under BOD 26-04 ordered federal civilian agencies to remediate by June 21, 2026.
  7. Business Impact

[CONFIRMED] CVSS 9.8 critical severity; unauthenticated remote attackers can create or truncate arbitrary files, chainable to full remote code execution as the splunk user (Splunk advisory / watchTowr, June 2026).

[CONFIRMED] First Splunk vulnerability ever added to CISA’s KEV catalogue, with a three-day federal remediation deadline under BOD 26-04 (CISA, June 18, 2026).

[CONFIRMED] Active in-the-wild exploitation confirmed by Splunk PSIRT and Resecurity (Help Net Security, June 19, 2026).

[CONFIRMED] Over 1,400 internet-exposed Splunk instances tracked globally — 952 in North America, 223 in Europe (Shadowserver, via BleepingComputer, June 2026).

[ESTIMATED] Estimated impact includes loss of SOC visibility, exposure of stored credentials, and lateral movement potential; the number of exposed instances actually vulnerable to the active attacks is not publicly disclosed (CISA / Resecurity, June 2026).

  1. Likely Root Cause
  • The PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file-operation functions without credentials (CWE-306, Missing Authentication for Critical Function).

Source: Splunk advisory, June 2026

  • Arbitrary file creation/truncation can be chained — via injected PostgreSQL connection strings, lo_export file writes, a plaintext .pgpass credential file, and overwriting a modular-input script — into full remote code execution as the splunk user.

Source: watchTowr technical analysis, June 12, 2026

  • Internet-facing Splunk deployments and weakly segmented internal networks exposed the vulnerable endpoint to untrusted networks.

Source: Assessed from CISA / SOCRadar reporting

  • Sensitive credential material (.pgpass) stored in plaintext on the host lowered the barrier from file-write to authenticated database access and code execution.

Source: Public technical analysis, June 2026

  1. Control Failures

[CF-1] ⚙️ Technology: A critical service endpoint exposed file operations with no authentication enforcement (CWE-306), turning network reachability into filesystem impact.

[CF-2] 📋 Process: Slow patch adoption against a fast exploit timeline — public PoC appeared within two days of the patch, yet many instances remained unpatched and internet-exposed.

[CF-3] ⚙️ Technology: Internet-facing exposure of the Splunk management/service plane with insufficient network segmentation around an untrusted-reachable endpoint.

[CF-4] 🪪 Identity: Plaintext credential storage (.pgpass) on the host allowed an attacker with file access to escalate to authenticated database access and code execution.

[CF-5] 📋 Process: Compromise of the SIEM itself undermines detection and incident-response capability — the platform meant to provide visibility becomes the means to remove it.

  1. Recommendations

↳ CF-2  Patch immediately to a fixed release (NIS2 Article 21(2)(e) — vulnerability handling and disclosure)

Upgrade Splunk Enterprise to 10.0.7, 10.2.4 or 10.4.0 or later without delay; where patching is not immediately possible, apply Splunk’s mitigation of disabling the PostgreSQL sidecar service, accepting the documented functionality trade-off.

↳ CF-1 / CF-3  Restrict and segment the service plane (ISO 27001:2022 Annex A 8.20 / 8.22 — network security and segregation)

Remove the Splunk management and service endpoints from the public internet, restrict the /__raw/ proxy path, and place the PostgreSQL sidecar behind strict network segmentation so it is unreachable from untrusted networks.

↳ CF-4  Eliminate plaintext credentials on the host (ISO 27001:2022 Annex A 5.17 — authentication information)

Treat .pgpass and similar credential files as secrets as sensitive as private keys; move them to protected storage, tighten file permissions, and rotate any credentials that may have been exposed.

↳ CF-5  Conduct forensic triage before assuming clean (NIST SP 800-61 Rev. 3 — incident handling)

Follow CISA’s BOD 26-04 forensic-triage requirements: review logs for path-traversal sequences, anomalous PostgreSQL connection parameters (hostaddr=, dbname=, passfile=), outbound connections to unknown PostgreSQL servers, and unexpected child processes spawned by Splunk services.

↳ CF-2 / CF-3  Validate exposure with independent testing (NIST CSF 2.0 — Identify / Protect)

Use the available neutered PoC and detection templates to confirm whether your deployments are vulnerable, and run regular external attack-surface assessments to catch internet-exposed security infrastructure.

  1. Regulatory Relevance

NIS2 — Article 21(2)(e) & reporting (24h/72h)

Vulnerability handling and network security are explicit risk-management obligations; a compromised SIEM in an essential entity would also trigger the 24-hour early-warning and 72-hour notification duties, while degrading the entity’s own ability to detect and report.

ISO 27001 — Annex A 8.8, 8.20, 8.22, 5.17

Technical vulnerability management, network security, segregation of networks, and authentication-information handling all apply; an exposed, unauthenticated service endpoint and plaintext credentials would be direct nonconformities against a certified ISMS.

 

Other:

  CIS Controls v8.1 — Controls 7, 8, 12, 13 (with audit-log management called out, since the log platform is the target)

  NIST SP 800-53 Rev. 5 — SI-2, RA-5, IA-3, SC-7, AU-9 (audit-information protection, the salient one)

  EU CRA — Article 14, forward-looking, with Cisco/Splunk as manufacturer

  1. How SEG Can Help

↳ CF-1 / CF-3  💡 Penetration Testing & Vulnerability Management

SEG identifies internet-exposed and unpatched security infrastructure — including SIEM and logging platforms — and validates segmentation, so a critical pre-auth flaw is found and closed before a public PoC reaches your environment.

↳ CF-2 / CF-5  💡 vCISO & Incident Response Readiness

SEG’s virtual CISO service builds the patch-prioritisation governance and forensic-triage playbooks needed to act inside a three-day KEV deadline and to validate integrity of the monitoring platform itself after a critical disclosure.

↳ CF-4  💡 SaaS & Security Configuration Review

SEG reviews host and application configuration for plaintext secrets, weak file permissions and exposed endpoints, ensuring credential material like .pgpass is protected to the standard of a private key.

 

🎯 Strategic Signal

CVE-2026-20253 is a warning about a specific and growing target class: the security tooling itself. SIEMs, log aggregators and observability platforms concentrate an organisation’s most sensitive telemetry and sit deep in the trusted network — and when they fall, the attacker gains both access and the ability to erase the evidence of it. The two-day gap between patch and public exploit, against a three-day federal remediation window, is the real story: the defensive tempo now demanded leaves no room for the quarterly patch cycle. Organisations must treat their security infrastructure as the high-value crown-jewel asset it is.

 

💬 SEG Expert View

There is a particular irony in a critical flaw living inside the platform you rely on to detect critical flaws. When your SIEM can be taken over without a password, the attacker doesn’t just breach you — they get to turn off the alarms. This is why we tell clients that security tooling is not exempt from the security programme; it is the most important part of it. The NIS2 Directive’s emphasis on vulnerability handling and network security applies to your defensive stack first. Patch to a fixed release today, get that service plane off the internet, and assume nothing about the integrity of a monitoring platform that was exposed — verify it forensically before you trust it again.

📖 Sources

Stay informed. Stay secure.

Get 1–2 expert insights monthly — straight to your inbox.

Explore more insights and updates

Our Partners & Vendors

Scroll to Top