Critical Splunk Enterprise CVE-2026-20253 Actively Exploited - Patch Now

A critical Splunk Enterprise vulnerability tracked as CVE-2026-20253 is being actively exploited in the wild just days after its public disclosure, prompting urgent warnings from security teams. The flaw resides in a PostgreSQL sidecar service endpoint that lacks authentication controls, allowing any network-reachable, unauthenticated attacker to create or truncate arbitrary files on vulnerable systems. Splunk, which is owned by Cisco, released patches on June 10 for Splunk Enterprise versions 10.2 before 10.2.4 and 10.0 before 10.0.7.

Two days after disclosure, researchers at WatchTowr demonstrated how CVE-2026-20253 can be weaponized for remote code execution, publishing full technical details and proof-of-concept (PoC) code. Splunk's Product Security Incident Response Team (PSIRT) confirmed limited exploitation on June 18. Organizations running affected versions should verify their exposure immediately, as the unauthenticated nature of the vulnerability makes internet-exposed Splunk instances especially high-value targets. A quick port scanner check can help identify reachable Splunk deployments that may need urgent attention.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-20253 to its Known Exploited Vulnerabilities (KEV) catalog on the same day Splunk confirmed attacks, instructing federal agencies to remediate by June 21. This marks the first Splunk flaw ever included in the KEV list, underscoring its severity. With no public information about the threat actors behind the exploitation, security teams should treat this as a priority patching item and review logs for indicators of compromise, particularly any unexpected file modifications or PostgreSQL sidecar activity.

Defenders should also assess their broader security posture in the wake of this disclosure. Running a SSL/TLS checker on Splunk web interfaces ensures encrypted management traffic, while a comprehensive privacy checkup can help identify other exposed services that might be similarly targeted. Given the rapid weaponization timeline, with PoC code published within 48 hours of patching, organizations that have not yet applied the fix should treat their Splunk deployments as actively at risk.