Skip to content
Tech News
← Back to articles

CISA: Splunk Enterprise flaw actively exploited, patch by Sunday

2026-06-19 | original
read original more articles
Why This Matters

The active exploitation of a critical vulnerability in Splunk Enterprise highlights the urgent need for organizations to prioritize timely patching to prevent potential remote code execution and data breaches. This incident underscores the importance of proactive cybersecurity measures and swift response protocols in the tech industry to mitigate evolving threats.

Key Takeaways

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged federal agencies to secure their systems by Sunday against a critical Splunk Enterprise vulnerability that is being exploited in attacks.

Tracked as CVE-2026-20253, this security flaw affects Splunk Enterprise (versions 10.2.0 to 10.2.3 and 10.0.0 to 10.0.6) and allows remote attackers without privileges to create or truncate arbitrary files on vulnerable devices via a PostgreSQL sidecar service endpoint.

"The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials," the Splunk security team said in a security advisory published last week.

On June 12, days after Splunk released security patches, WatchTowr published a technical write-up, shared proof-of-concept exploit code, and warned that the flaw can be abused for remote code execution attacks.

On Wednesday, June 18, Splunk updated its advisory, urging customers to patch their systems as soon as possible due to evidence of in-the-wild exploitation.

"In June 2026, the Splunk Product Security Incident Response Team (PSIRT) became aware of limited exploitation of this vulnerability. Splunk strongly recommends that customers upgrade to a fixed software release to remediate this vulnerability," it said.

Internet security watchdog group Shadowserver tracks over 1,400 Internet-exposed Splunk instances, most of them from North America (952) and Europe (223). However, there is no information on how many of them are vulnerable to ongoing attacks targeting the CVE-2026-20253 flaw.

Splunk instances exposed online (Shadowserver)

On Thursday, CISA confirmed that threat actors are now actively abusing the CVE-2026-20253 vulnerability in attacks and ordered Federal Civilian Executive Branch (FCEB) agencies to patch their Splunk instances by Sunday, as mandated by Binding Operational Directive (BOD) 26-04.

Issued last week, CISA's BOD 26-04 requires U.S. government agencies to prioritize patching based on each vulnerability's risk of exploitation.

... continue reading

Explore topics: splunk enterprise cisa cve-2026-20253 postgresql psirt
Related:
CISA warns Fortinet users to secure devices after FortiBleed leak
CISA orders feds to patch max severity Joomla plugin flaw by Friday
Databricks Launches LTAP: A Unified OLAP/OLTP Data Architecture
CISA warns of another cPanel plugin flaw exploited in attacks
SMTP Relay with Web Dashboard

© 2026 GoKawiil

About | Editorial Policy | Contact