The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has requested federal companies to guard their techniques by Sunday towards a essential vulnerability in Splunk Enterprise that has been exploited in assaults.
This safety flaw, tracked as CVE-2026-20253, impacts Splunk Enterprise (variations 10.2.0 – 10.2.3 and 10.0.0 – 10.0.6) and permits an unprivileged distant attacker to create or truncate arbitrary information on a susceptible machine through a PostgreSQL sidecar service endpoint.
“This vulnerability exists as a result of the PostgreSQL sidecar service endpoint lacks authentication controls, permitting any consumer with community entry to invoke file operations with out credentials,” the Splunk safety workforce stated in a safety advisory revealed final week.
On June 12, days after Splunk launched a safety patch, WatchTowr revealed a technical doc, shared proof-of-concept exploit code, and warned that the flaw might be exploited for distant code execution assaults.
On Wednesday, June 18th, Splunk up to date its advisory to induce prospects to patch their techniques as quickly as attainable resulting from proof of precise exploitation.
“In June 2026, the Splunk Product Safety Incident Response Staff (PSIRT) turned conscious of restricted exploitation of this vulnerability. Splunk strongly recommends that you just improve to a hard and fast software program launch that fixes this vulnerability,” the corporate stated.
Web safety monitoring group Shadowserver tracks greater than 1,400 Splunk cases uncovered to the Web, largely from North America (952) and Europe (223). Nonetheless, there is no such thing as a data on what number of of them are susceptible to ongoing assaults concentrating on the CVE-2026-20253 flaw.
On Thursday, CISA confirmed that risk actors are presently actively exploiting the CVE-2026-20253 vulnerability in assaults and ordered Federal Civilian Govt Department (FCEB) companies to patch their Splunk cases by Sunday, as mandated by Binding Operational Directive (BOD) 26-04.
CISA’s BOD 26-04, issued final week, requires U.S. authorities companies to prioritize patching primarily based on the chance of every vulnerability being exploited.
“These kind of vulnerabilities are a frequent assault vector for malicious cyber attackers and pose important dangers to federal enterprises,” the Cybersecurity Company stated yesterday. “Stakeholders are accountable for assessing every asset’s Web publicity and guaranteeing compliance with BOD 26-04 patching tips.”
Splunk additionally shared mitigations for directors who can not instantly patch susceptible techniques, advising them to disable the PostgreSQL sidecar service to take away the assault floor.
Nonetheless, we additionally warned that disabling PostgreSQL may break Edge Processor, OpAmp, or SPL2 knowledge pipelines on affected cases.
Safety groups doc 54% of profitable assaults and challenge a warning on solely 14%. The remainder strikes invisibly by the atmosphere.
Picus’ whitepaper reveals easy methods to take a look at your SIEM and EDR guidelines in breach and assault simulations to make sure threats go undetected.
Get the white paper
