CVE-2026-20253 — Splunk Enterprise pre-auth RCE flips to confirmed exploitation and CISA KEV

If you did nothing this week: if you run an internet-reachable Splunk Enterprise search head on 10.0.x or 10.2.x, you are now exposed to an unauthenticated remote-code-execution path that is being exploited in the wild — and a compromised search head sits at the centre of your detection and log visibility.

When CVE-2026-20253 (CVSS 9.8, CWE-306) was first covered on 2026-06-14 it was a disclosure-plus-patch story. This week Splunk PSIRT confirmed limited exploitation, CISA added it to the KEV catalog on 2026-06-18, and NCSC-NL corroborated (Splunk PSIRT SVD-2026-0603; SecurityWeek, 2026-06-19; daily 06-20). The flaw is an unauthenticated arbitrary file-creation/truncation primitive reachable through a PostgreSQL sidecar service endpoint that lacks authentication controls, chaining to RCE. It affects Splunk Enterprise 10.0 below 10.0.7 and 10.2 below 10.2.4; fixes (10.4.0 / 10.2.4 / 10.0.7) have been available since 2026-06-14.

The operational weight here is the platform, not the CVSS: Splunk is a standard SIEM backbone inside CH/EU public-sector SOCs, and an attacker who lands pre-auth code execution on the search-head tier owns the analytics plane that defenders rely on. Patch on emergency cadence, restrict search-job submission to authorised analyst accounts, and verify indexer/search-head network segmentation so the PostgreSQL sidecar is not network-reachable from untrusted zones.