Hard2bit
← Back to blog

When the SIEM becomes the breach: Splunk's CVE-2026-20253 is exploited and now on CISA's KEV list

By Adrián González · CEO · Published: 24 June 2026 · Updated: 24 June 2026
Cyber Threats
CVE Splunk SIEM

A SIEM is, by design, the place defenders look when they suspect something is wrong. It centralises logs, correlates events, supports investigations and underpins a large part of an organisation’s detection capability.

That is what makes CVE-2026-20253 so uncomfortable.

The vulnerability affects Splunk Enterprise, one of the platforms many security teams rely on to detect intrusions. It carries a CVSS score of 9.8, has been confirmed by Splunk as subject to limited exploitation in June 2026, and was added by CISA to its Known Exploited Vulnerabilities (KEV) catalogue on 18 June 2026.

The executive takeaway is simple: if an organisation runs an affected version of Splunk Enterprise and the vulnerable service is reachable over the network, it should act immediately. Not only because the vulnerability is critical, but because compromising the detection platform can affect the organisation’s ability to see, investigate and respond to the incident itself.

Executive summary: what to do if you run Splunk Enterprise

If you use Splunk Enterprise, check immediately whether you are running an affected version:

  • Splunk Enterprise 10.0.0 to 10.0.6.
  • Splunk Enterprise 10.2.0 to 10.2.3.

The fixed versions are:

  • 10.0.7.
  • 10.2.4.
  • 10.4.0 or later.

According to Splunk’s advisory, Splunk Cloud Platform is not affected, because it does not use PostgreSQL sidecars. Splunk also states that Splunk Enterprise 9.4 and earlier are not affected.

The priority order is clear:

  1. Upgrade to a fixed version.
  2. If immediate patching is not possible, evaluate Splunk’s temporary mitigation: disabling the PostgreSQL sidecar service, while assessing the functional impact.
  3. Restrict network exposure to the affected service.
  4. Review the integrity of scripts, apps, alerts and configurations.
  5. Hunt for signs of exploitation.
  6. Rotate credentials and secrets if the system may have been exposed.
  7. Treat any evidence of exploitation as an incident, not just a patching task.

This is exactly the type of case where vulnerability management⁠ needs to be driven by exploitability, asset criticality and exposure, not by CVSS alone.

What CVE-2026-20253 actually is

CVE-2026-20253 is a missing authentication vulnerability — CWE-306 — affecting an endpoint of the PostgreSQL sidecar service in Splunk Enterprise.

The official description matters. An unauthenticated remote attacker with network access to the vulnerable service may be able to perform arbitrary file creation or truncation on the Splunk server.

That may sound less dramatic than “remote code execution”, but it is the key to understanding the risk. In certain conditions, as public technical analysis has shown, arbitrary file write or truncation can be chained into remote code execution on the platform.

That distinction is important.

This is not simply “another RCE headline”. It is a critical unauthenticated weakness in a component of a security platform that can allow attackers to manipulate files on the system and potentially execute code in the Splunk context.

Affected and fixed versions

The affected versions are:

Splunk CVE affected versions

Key points:

  • Splunk Cloud Platform is not affected.
  • Splunk Enterprise 9.4 and earlier are not affected.
  • Splunk recommends upgrading to a fixed version.
  • If upgrading immediately is not possible, Splunk documents disabling the PostgreSQL sidecar as a mitigation, subject to functional impact.

CISA’s KEV listing changes the priority. This is no longer a vulnerability to “review when possible”. It is a vulnerability with evidence of active exploitation, and it should move to the front of the remediation queue. This is the same logic we explain in our analysis of KEV, EPSS and SSVC for prioritising exploitable vulnerabilities⁠.

Anatomy of the attack: from an unauthenticated endpoint to platform compromise

The exploitation chain does not need valid credentials. The main condition is that the vulnerable PostgreSQL sidecar service is reachable over the network.

At a high level, the attack relies on three ideas.

First, an endpoint in the PostgreSQL sidecar service does not properly enforce authentication for a critical function.

Second, that function can be abused to create or truncate files on the system.

Third, if an attacker can write to or modify relevant locations inside the Splunk environment, they may be able to alter how the platform behaves and, in certain conditions, achieve code execution under the Splunk service context.

This article does not need to become an exploitation guide. The business-relevant point is enough: an attacker may move from an unauthenticated function to file manipulation on a central security platform.

That changes the severity of the incident.

We are not talking about an isolated server. We are talking about a system that often receives logs from firewalls, endpoints, servers, applications, identity platforms and cloud services.

Why this is worse than an ordinary CVE

A critical flaw in an exposed web server is serious. A critical flaw in the SIEM is serious in a different way.

A SIEM typically has three characteristics that make it a very high-value target:

  • It has visibility across large parts of the organisation.
  • It processes sensitive logs, security events, usernames, IP addresses, internal paths, tokens and, in some cases, secrets accidentally exposed in logs.
  • It supports correlation rules, alerts, dashboards, integrations and investigation workflows.

If an attacker compromises that component, the impact may extend beyond the server itself.

They may try to access sensitive information in events. They may study how the organisation detects threats. They may modify scripts, apps or rules. They may reduce the visibility of the security team. And they may use the platform as a foothold to better understand the internal network.

The irony is obvious: the platform designed to help detect an intrusion can become part of the intrusion.

That does not mean Splunk is not a valid security tool. It means that any critical security platform must be treated as a high-risk asset, with the same discipline applied to hardening, segmentation, patching, monitoring and response as a domain controller, VPN gateway or EDR console.

Security tooling is also attack surface

This case fits a broader trend: attackers are not only targeting business applications. They are also targeting edge devices, management planes and security platforms.

As workstation defence has matured through EDR, MFA, application control and stronger detection, many threat actors have shifted attention towards assets that combine high value with operational exposure: VPNs, firewalls, administration consoles, monitoring systems, deployment tools and SIEM platforms.

The lesson is uncomfortable but necessary: the defensive stack itself is part of the attack surface⁠.

An organisation should not only ask whether it has SIEM, EDR, NDR or SOAR. It should also ask:

  • Are those platforms updated?
  • Are they exposed to networks they should not be exposed to?
  • Do they have MFA and strong access control?
  • Is their integrity monitored?
  • Are configuration changes reviewed?
  • Are outbound connections from those platforms logged?
  • Is there alternative visibility if the main detection platform is compromised?

This is part of a mature continuous threat exposure management⁠ approach: not merely listing vulnerabilities, but understanding which exposed assets are exploitable, critical and urgent.

Detection: what to look for now

If you run an affected version of Splunk Enterprise and cannot rule out exposure, hunt before assuming you are clean.

The following signals deserve immediate review:

Splunk CVE signals detection

Detection should not rely on a single indicator. A real attacker can change file names, paths and artefacts. What matters is behaviour: access to the vulnerable service, unexpected file writes, script modifications, process execution and outbound connections.

This is exactly where threat hunting⁠ adds value. The goal is not to wait for a generic alert, but to proactively search available telemetry for traces of a known technique.

Containment and remediation

The first priority is to update. In this case, there is no more important action.

1. Upgrade to a fixed version

Upgrade Splunk Enterprise to:

  • 10.0.7.
  • 10.2.4.
  • 10.4.0 or later.

The update should be treated as urgent if the system is running an affected version and the vulnerable service is reachable over the network.

2. Apply temporary mitigation if you cannot patch immediately

If immediate upgrading is not possible, Splunk documents disabling the PostgreSQL sidecar service as a mitigation. This must be assessed carefully because it may affect functionality that depends on that component.

Mitigation is not a replacement for patching. It only reduces exposure while the upgrade is completed.

3. Restrict network exposure

The service should not be reachable from the internet or from unnecessary network segments.

Review:

  • Management-plane segmentation.
  • Firewall rules.
  • Access from user networks.
  • Access from providers, VPNs or administrative jump hosts.
  • Accidental exposure in cloud or hybrid environments.

A proper infrastructure and network security audit⁠ helps identify exactly this kind of exposed management surface.

4. Validate platform integrity

After patching, check that the platform has not been modified.

Review:

  • Installed apps.
  • Internal and custom scripts.
  • Saved searches.
  • Alerts.
  • Inputs.
  • Outputs.
  • Integrations.
  • Configured credentials and tokens.
  • Recent changes to critical files.

If an attacker may have had file write or truncation capability, updating alone is not enough. You need to verify that no persistent or stealthy modifications remain.

5. Rotate secrets and credentials

If the system was exposed, treat secrets accessible from Splunk as potentially compromised.

This may include:

  • Integration tokens.
  • API credentials.
  • Service accounts.
  • Credentials stored in scripts.
  • Secrets accidentally exposed in logs.
  • Administrative credentials used by the platform.

Credential rotation should be coordinated across systems, cloud, security and identity teams.

6. Trigger incident response if there are signs of compromise

If evidence of exploitation appears, the task is no longer “patch Splunk”. It becomes an incident.

That means:

  • Containment.
  • Evidence preservation.
  • Forensic analysis.
  • Integrity review.
  • Persistence hunting.
  • Review of follow-on access.
  • Credential rotation.
  • Internal communication.
  • Impact documentation.
  • Lessons learned.

An incident response service⁠ or an incident response retainer⁠ can be the difference between a fast containment exercise and a prolonged breach.

What this changes for SOC, SIEM and managed detection

CVE-2026-20253 forces an uncomfortable but healthy idea: the SIEM itself must be monitored.

A SIEM⁠ should not be excluded from the detection model just because it is the detection tool. The more critical it is to the organisation’s visibility, the more important it becomes to monitor its integrity.

In practice, a SOC should monitor:

  • Administrative access to the platform.
  • Changes to rules, alerts, dashboards and saved searches.
  • Installation or modification of apps.
  • Script execution.
  • Configuration changes.
  • Outbound connections from the SIEM server.
  • Creation or modification of users.
  • Changes to integrations.
  • Use of credentials or tokens.
  • Health and status of critical service components.

A managed SOC⁠ should be able to correlate this telemetry with threat intelligence, vulnerability management and real exposure. It is not enough to know that a CVE exists. You need to know whether the asset exists, whether it is exposed, whether it is vulnerable, whether a public PoC exists, whether it is in KEV and whether there are signs of exploitation.

This case also reinforces the value of EDR, XDR and MDR⁠: detection should not depend on a single source, especially when that source may itself become the target.

Relationship with identity, Active Directory and lateral movement

Although CVE-2026-20253 affects Splunk, the potential impact does not necessarily stop at Splunk.

Many modern intrusions follow a familiar pattern: compromise an initial asset, look for credentials, understand the network, reach identity systems and move towards critical systems. If the SIEM contains logs with usernames, internal paths, authentication failures, tokens, accidentally exposed credentials or integration details, it can become a valuable intelligence source for an attacker.

After a suspected compromise, teams should review:

  • Follow-on access from the Splunk server.
  • Authentication against Active Directory.
  • Use of service accounts.
  • Unusual LDAP queries.
  • Access to domain controllers.
  • Lateral movement from or towards the platform.

In hybrid environments, this review should connect with known hybrid Active Directory attack paths⁠ and the organisation’s identity and Zero Trust posture⁠.

Compliance implications: NIS2, DORA and ENS

This case has a clear compliance reading.

For organisations within the scope of NIS2⁠, vulnerability management, timely patching, access control, detection and incident response are not optional recommendations. They are technical and organisational measures that need to be demonstrable.

A compromise of the SIEM can affect the ability to detect, investigate and report incidents. If the incident has significant impact, it may also trigger escalation and notification obligations.

Under DORA⁠, a security observability platform may be a critical ICT asset. If it is deployed internally, it falls within the digital operational resilience framework. If it forms part of a service delivered by a third party, it may also have implications for ICT third-party risk management.

Under Spain’s ENS⁠, traceability, monitoring, vulnerability management and incident response are essential to reconstruct what happened and demonstrate operational control.

The regulatory lesson is simple: having a SIEM is not enough to prove that monitoring is effective. The SIEM itself must be protected, updated, supervised and included in the response plan.

For organisations working across several frameworks, it may also be useful to review the relationship between ENS, ISO 27001, NIS2 and DORA⁠.

What security teams should review now

If your organisation uses Splunk Enterprise, these are the questions to answer today:

  1. Are we running an affected version of Splunk Enterprise?
  2. Are we using Splunk Cloud Platform or self-managed Splunk Enterprise?
  3. Is the PostgreSQL sidecar service present?
  4. Is it reachable from unnecessary networks?
  5. Is there any exposure from the internet or broad internal segments?
  6. Have we upgraded to 10.0.7, 10.2.4, 10.4.0 or later?
  7. Do we have an inventory of apps, scripts, saved searches and integrations?
  8. Can we detect unauthorised modification of the platform?
  9. Are there anomalous outbound connections from the Splunk server?
  10. Have credentials, tokens and secrets accessible from the platform been reviewed?
  11. Do we have alternative telemetry if the SIEM is compromised?
  12. Does the incident response plan account for the detection platform itself being affected?

These questions can be addressed through a cybersecurity audit⁠, a security posture⁠ review or an attack surface management⁠ programme.

The uncomfortable lesson

The question raised by CVE-2026-20253 is not whether you trust Splunk. Many organisations trust Splunk because it is a powerful and critical part of their security operation.

The real questions are different.

Have you reduced the exposure of your security tools? Can you detect if someone tampers with them? Does your response plan account for the possibility that the compromised component is the very platform used to monitor everything else?

The defensive stack is critical infrastructure. SIEM, EDR, NDR, SOAR, cloud consoles, management platforms and deployment tools must be part of the critical asset inventory, the patching programme, exposure management and resilience testing.

Threat-modelling your own security tooling is no longer an eccentric exercise. It is basic hygiene.

Would your organisation know if its SIEM was exposed or tampered with?

Hard2bit helps organisations improve real detection, response and resilience against critical vulnerabilities, active exploitation and compromise of security platforms.

We can support you with:

If you want to review whether your security platforms are properly protected, updated and monitored, contact the Hard2bit team through our contact page⁠.

Recommended sources

  • Splunk Advisory SVD-2026-0603: CVE-2026-20253
    https://advisory.splunk.com/advisories/SVD-2026-0603
  • CISA: CVE-2026-20253 added to the KEV catalogue
    https://www.cisa.gov/news-events/alerts/2026/06/18/cisa-adds-one-known-exploited-vulnerability-catalog
  • INCIBE-CERT: unauthenticated arbitrary file creation and truncation in Splunk Enterprise
    https://www.incibe.es/incibe-cert/alerta-temprana/avisos/creacion-y-truncado-arbitrario-de-archivos-sin-autenticacion-en-enterprise-de
  • watchTowr Labs: technical analysis of CVE-2026-20253
    https://labs.watchtowr.com/why-use-app-level-auth-when-every-database-has-auth-splunk-enterprise-cve-2026-20253-pre-auth-rce/
  • watchTowr Labs GitHub: public detector / PoC
    https://github.com/watchtowrlabs/watchTowr-vs-Splunk-CVE-2026-20253

Frequently asked questions

Which versions of Splunk Enterprise are affected by CVE-2026-20253?

Versions 10.0.0 to 10.0.6 and 10.2.0 to 10.2.3. Splunk fixed the flaw in versions 10.0.7, 10.2.4 and 10.4.0; any deployment below those versions with the PostgreSQL sidecar service reachable falls within the affected range.

Is this vulnerability really being exploited?

Yes. Splunk has confirmed limited exploitation in the wild and CISA added it to its Known Exploited Vulnerabilities (KEV) catalogue on 18 June 2026, with a 21 June remediation deadline for US federal civilian agencies. Public proof-of-concept code also exists.

Does it also affect Splunk Cloud?

The advisory concerns Splunk Enterprise in self-managed deployments. In vendor-managed services, Splunk applies the patch itself; the prudent course is to confirm your version and remediation status through your service agreement rather than assuming it is handled.

If I cannot patch today, what can I do?

The vendor confirms that disabling the PostgreSQL sidecar service mitigates the risk, although it affects certain functionality. In addition, restrict the service's network exposure so it is not reachable from the internet, and monitor for indicators of compromise while you plan the upgrade.

How do I know whether I have been compromised?

Look for the watchTowr.txt marker file, modified Splunk Python scripts (especially in the splunk_secure_gateway app), new files in paths such as /tmp/ or /opt/splunk/var/run/supervisor/pkg-run/, outbound connections to unknown PostgreSQL servers, and anomalous access to the recovery endpoint.

Why is a flaw in the security tool itself so serious?

Because the SIEM runs with privileges, concentrates the logs of the whole organisation (sometimes including credentials) and is the source of alerts. Whoever controls it can read your detections, extract sensitive data and silence the warnings that should expose them.

Does this fall within the scope of NIS2 or DORA?

Yes. Under NIS2, vulnerability management and patching are required measures and a compromise can trigger incident notification. Under DORA, the SIEM is a critical ICT asset that must appear in the register of information and in resilience testing.

Do I need to rotate credentials even after patching?

If the system was exposed before the patch was applied, yes. Remote code execution allows an attacker to read or steal credentials accessible from the host, so the prudent step is to rotate them and treat the system as a potential compromise until you can rule it out.