UPDATE: Splunk CVE-2026-20253 now under confirmed limited targeted exploitation

UPDATE (originally covered 2026-06-14): Splunk PSIRT and NCSC-NL have confirmed that CVE-2026-20253 (CVSS 9.8) — the Splunk Enterprise pre-auth RCE first covered on 2026-06-14 — is now under limited targeted exploitation in the wild, and CISA added it to the Known Exploited Vulnerabilities catalog on 2026-06-18, moving it from "disclosed, no known exploitation" to active-exploitation status (Splunk PSIRT SVD-2026-0603, 2026-06-18; SecurityWeek, 2026-06-19).

The vulnerability is an unauthenticated arbitrary file-creation/truncation flaw in a PostgreSQL sidecar service endpoint that chains to remote code execution; it affects the 10.0.x and 10.2.x branches and is fixed in Splunk Enterprise 10.4.0 / 10.2.4 / 10.0.7, available since 2026-06-14. The exploitation confirmation plus KEV listing raises this from a routine patch-cycle item to emergency priority, particularly because Splunk is a standard SIEM platform inside CH/EU public-sector SOC environments — a compromised search head sits at the centre of detection and log visibility. Restrict search-job submission to authorised analyst accounts and verify indexer/search-head network segmentation while patching.