CISA has ordered federal agencies to patch a critical Splunk Enterprise flaw, CVE-2026-20253, after confirming it is being actively exploited in attacks. The vulnerability affects multiple Splunk Enterprise versions and can enable unauthorized file operations and potentially remote code execution, prompting urgent fixes and mitigation guidance from Splunk and CISA. #CVE-2026-20253 #SplunkEnterprise #CISA #BOD26-04
Keypoints
- CVE-2026-20253 affects Splunk Enterprise versions 10.2.0 to 10.2.3 and 10.0.0 to 10.0.6.
- The flaw allows unauthenticated attackers to create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.
- WatchTowr published proof-of-concept exploit code and warned of possible remote code execution.
- Splunk confirmed limited in-the-wild exploitation and urged customers to upgrade immediately.
- CISA ordered FCEB agencies to patch by Sunday under Binding Operational Directive 26-04.