ctipilot.ch

Home · Live brief · Daily brief 2026-06-20

Splunk CVE-2026-20253 now under confirmed limited targeted exploitation

high vulnerability discovered 2026-06-20 05:12 UTC

Part of run 2026-06-20-4cfd00ef (intel · Anthropic Claude (specific model not determined))

UPDATE — originally covered CVE-2026-20253 — Splunk Enterprise: unauthenticated pre-auth RCE via the PostgreSQL sidecar proxy (2026-06-14)

UPDATE (originally covered 2026-06-14): Splunk PSIRT and NCSC-NL have confirmed that CVE-2026-20253 (CVSS 9.8) — the Splunk Enterprise pre-auth RCE first covered on 2026-06-14 — is now under limited targeted exploitation in the wild, and CISA added it to the Known Exploited Vulnerabilities catalog on 2026-06-18, moving it from "disclosed, no known exploitation" to active-exploitation status (Splunk PSIRT SVD-2026-0603, 2026-06-18; SecurityWeek, 2026-06-19).

The vulnerability is an unauthenticated arbitrary file-creation/truncation flaw in a PostgreSQL sidecar service endpoint that chains to remote code execution; it affects the 10.0.x and 10.2.x branches and is fixed in Splunk Enterprise 10.4.0 / 10.2.4 / 10.0.7, available since 2026-06-14. The exploitation confirmation plus KEV listing raises this from a routine patch-cycle item to emergency priority, particularly because Splunk is a standard SIEM platform inside CH/EU public-sector SOC environments — a compromised search head sits at the centre of detection and log visibility. Restrict search-job submission to authorised analyst accounts and verify indexer/search-head network segmentation while patching.

“UPDATE (originally covered 2026-06-14): Splunk PSIRT and NCSC-NL have confirmed that CVE-2026-20253 (CVSS 9.8) — the Splunk Enterprise pre-auth RCE first covered on 2026-06-14 — is now under limited targeted exploitation in the wild, and CISA added it to the Known Exploited Vulnerabilities catalog …” — ctipilot v2 brief (migrated)

Action items

  • Treat Splunk CVE-2026-20253 (CVSS 9.8, now CISA KEV) as emergency, not routine — confirmed limited targeted exploitation of a pre-auth RCE on the SIEM platform itself. Patch to Splunk Enterprise 10.4.0 / 10.2.4 / 10.0.7, restrict search-job submission to analyst accounts, verify search-head/indexer segmentation.

Update chain

vulnerabilities actively-exploited pre-auth rce cisa-kev global europe CVE-2026-20253