Attackers just got admin access to the system that was supposed to catch them.
Attackers just got admin access to the system that was supposed to catch them.
Splunk Enterprise has a CVSS 9.8 vulnerability — CVE-2026-20253 — that allows unauthenticated remote attackers to write arbitrary files on the Splunk server without any credentials. File write chains into full remote code execution. CISA confirmed active exploitation yesterday and added it to the KEV catalog with a federal deadline of June 21.
Exploitation has been active since June 15. Four days of in-the-wild attacks before most organizations are even aware.
The affected component is a PostgreSQL sidecar service endpoint that fails to enforce authentication before processing requests. Affected versions: Splunk Enterprise 10.2 before 10.2.4 and 10.0 before 10.0.7. Splunk Cloud is not affected.
Here’s the real issue: Splunk isn’t just another application. It’s where your detection lives. A compromised Splunk instance gives attackers the ability to delete or modify log entries, disable or alter alert rules, and suppress detection for everything else happening in the environment. Ransomware operators in particular have a strong incentive to hit your SIEM first — silence the alarm before they start the real work.
If you run Splunk Enterprise on-premises, treat this as a patch-now situation, not a patch-cycle situation.
Next 48 hours: → Patch to Splunk Enterprise 10.2.4 or 10.0.7 immediately. → Restrict Splunk management interfaces to internal/jump-host access only — no direct internet exposure. → Review Splunk admin audit logs for anomalous file operations or configuration changes since June 15.
June 21 deadline. Two days.
Links for a deeper technical dive are in the comments.
For those who want a deeper dive into this topic:
