Critical Splunk Enterprise Vulnerability Enables Unauthenticated Remote Code Execution
- Jun 13
- 2 min read
Key Findings
Critical vulnerability CVE-2026-20253 in Splunk Enterprise rated 9.8 on CVSS scale allows unauthenticated remote code execution
Flaw exists in PostgreSQL sidecar service endpoint lacking authentication controls on versions below 10.0.7 and 10.2.4
Attackers can exploit /v1/postgres/recovery/backup and /v1/postgres/recovery/restore endpoints to write arbitrary files and execute malicious code
Splunk Cloud unaffected; Splunk Enterprise 10.4 not vulnerable
No evidence of active exploitation yet, but technical details released increase risk of opportunistic attacks
Background
Splunk Enterprise is a widely-deployed data platform used by organizations for log aggregation, monitoring, and security analytics. The company, now part of Cisco, recently discovered a critical flaw in its core product that fundamentally undermines security by allowing anyone with network access to execute commands without authentication. The vulnerability affects Splunk Enterprise versions 10.0.0 through 10.0.6 and 10.2.0 through 10.2.3, with fixes released in versions 10.0.7 and 10.2.4 respectively.
How the Attack Works
The exploitation chain begins with an attacker connecting to an attacker-controlled database and dumping its contents to an arbitrary file using the /backup endpoint. This creates a malicious database dump that serves as the attack payload. The attacker then uses the /restore endpoint to load this dump into Splunk's local PostgreSQL instance by specifying a passfile argument pointing to the postgres_admin credentials file.
Once the malicious database dump is restored, SQL queries embedded within it execute automatically on Splunk's PostgreSQL instance. The attacker weaponizes this by defining a custom function using lo_export, a PostgreSQL function designed to extract data from the database and write it to the file system. This gives the attacker an arbitrary file write primitive on the Splunk server.
Path to Remote Code Execution
With the ability to write files anywhere on the Splunk system, attackers escalate to full remote code execution by overwriting Python scripts that Splunk regularly executes. A prime target is /opt/splunk/etc/apps/splunk_secure_gateway/bin/ssg_enable_modular_input.py. By replacing this script with malicious code, attackers gain command execution with Splunk's privileges whenever the script runs.
Security researchers from watchTowr Labs who disclosed the technical details demonstrated creating a database dump template that provides controlled file write capabilities. The entire attack requires no authentication and can be executed remotely from any system with network access to the vulnerable endpoint.
Affected Versions and Patches
Splunk Enterprise 10.0.0 to 10.0.6 requires upgrade to 10.0.7
Splunk Enterprise 10.2.0 to 10.2.3 requires upgrade to 10.2.4
Splunk Enterprise 10.4 is not vulnerable
Splunk Cloud deployments are not affected due to architectural differences in how PostgreSQL is deployed
Urgency for Organizations
While there has been no confirmed exploitation in the wild, the detailed technical information released by security researchers significantly increases the likelihood of threat actors attempting exploitation. The unauthenticated nature of the attack and its severity make patching an immediate priority for any organization running vulnerable Splunk Enterprise instances. Organizations should treat this as a critical security incident requiring swift remediation across all affected deployments.
Sources
https://thehackernews.com/2026/06/critical-splunk-enterprise-flaw-lets.html
https://www.linkedin.com/posts/netmanageit_critical-splunk-enterprise-flaw-lets-attackers-activity-7471554642238197761-1s42
https://www.socdefenders.ai/item/39fd80f0-b5e7-4aad-ba12-b1c208076a03
https://x.com/TheCyberSecHub/status/2065792606316183693

Comments