Splunk Enterprise RCE Flaw Under Active Attack — PoC Public

A critical vulnerability in Splunk Enterprise is being actively exploited in the wild, and proof-of-concept code is publicly available. The flaw, tracked as CVE-2026-20253, allows unauthenticated remote attackers to create or overwrite arbitrary files on vulnerable systems—a primitive that security researchers have already weaponized into full remote code execution.

CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on June 18, 2026, setting a remediation deadline of June 23 for federal agencies.

The Vulnerability

Splunk Enterprise includes a PostgreSQL sidecar service that supports Edge Processor, OpAmp, and SPL2 data pipelines. The problem: this service endpoint lacks authentication controls entirely.

Any attacker with network access can invoke file operations through the unprotected service. No credentials required. No authorization checks. The PostgreSQL sidecar simply executes whatever file operations the request specifies.

Security researchers at WatchTowr Labs published proof-of-concept code demonstrating how the arbitrary file write capability can be chained into remote code execution. Once an attacker can write files anywhere on the system, achieving code execution becomes a matter of placing malicious content in the right location—a web shell, a cron job, a startup script.

Affected Versions

The vulnerability impacts:

• Splunk Enterprise 10.2.0 through 10.2.3
• Splunk Enterprise 10.0.0 through 10.0.6

Organizations running these versions should treat patching as an emergency. Splunk has released fixed versions that properly secure the PostgreSQL sidecar endpoint.

Active Exploitation Timeline

CISA confirmed active exploitation as of June 18, 2026. The Shadowserver Foundation tracks over 1,400 internet-exposed Splunk instances, though the precise number running vulnerable versions remains unknown.

Splunk deployments often contain sensitive data—security logs, authentication events, application telemetry. Compromise of a SIEM platform gives attackers visibility into what defenders are monitoring and potentially the ability to manipulate log data to cover their tracks.

This attack pattern mirrors the Cisco SD-WAN Manager vulnerabilities that have plagued network infrastructure throughout 2026. Central management platforms make attractive targets because they provide broad access with a single compromise.

Immediate Mitigations

Option 1: Patch

Upgrade to Splunk Enterprise 10.2.4 or 10.0.7, which add proper authentication to the PostgreSQL sidecar service.

Option 2: Disable the vulnerable service

Administrators who cannot patch immediately can disable the PostgreSQL sidecar by modifying the Splunk configuration. This breaks Edge Processor, OpAmp, and SPL2 data pipeline functionality, so it's a temporary measure at best.

Option 3: Network isolation

If neither patching nor disabling is immediately possible, restrict network access to the PostgreSQL sidecar port. Only authorized systems should be able to reach the service.

Detection Guidance

Organizations should review their Splunk server logs for:

• Unusual file system modifications, particularly in web-accessible directories
• PostgreSQL service activity from unexpected source addresses
• New files appearing in cron directories or systemd service paths
• Web shells or reverse shell scripts dropped to the file system

If your organization runs a security operation center, the irony of having your SIEM compromised is not lost. This vulnerability underscores why defense-in-depth principles apply equally to security infrastructure—maybe especially to security infrastructure.

Why This Matters

Splunk occupies a privileged position in enterprise security architectures. It ingests logs from across the organization, stores authentication events, and often contains indicators that defenders use to detect intrusions.

An attacker who compromises Splunk gains multiple advantages:

• Visibility: Understanding what the security team monitors
• Evasion: Potentially deleting or modifying logs that would reveal their presence
• Persistence: Using Splunk's trusted network position to pivot to other systems
• Intelligence: Mining historical data for credentials, internal URLs, and system architecture

The Operation Endgame takedown earlier this week demonstrated how law enforcement tracks criminal infrastructure. Attackers are increasingly aware that their activities leave traces in enterprise logging systems. Compromising those systems directly addresses that problem from their perspective.

Verify Your Exposure

Run a quick inventory:

1. Identify all Splunk Enterprise installations in your environment
2. Check version numbers against the affected range
3. Verify whether the PostgreSQL sidecar service is enabled
4. Review network segmentation controls around Splunk infrastructure

The June 23 CISA deadline has passed. Organizations still running vulnerable versions are operating outside federal guidance and—more importantly—are exposed to active exploitation with public exploit code available to any attacker motivated to try it.