top of page

Critical Splunk Enterprise Vulnerability Enables Unauthenticated Remote Code Execution

  • Jun 13
  • 2 min read

Key Findings


  • Critical vulnerability CVE-2026-20253 in Splunk Enterprise rated 9.8 on CVSS scale allows unauthenticated remote code execution

  • Flaw exists in PostgreSQL sidecar service endpoint lacking authentication controls on versions below 10.0.7 and 10.2.4

  • Attackers can exploit /v1/postgres/recovery/backup and /v1/postgres/recovery/restore endpoints to write arbitrary files and execute malicious code

  • Splunk Cloud unaffected; Splunk Enterprise 10.4 not vulnerable

  • No evidence of active exploitation yet, but technical details released increase risk of opportunistic attacks


Background


Splunk Enterprise is a widely-deployed data platform used by organizations for log aggregation, monitoring, and security analytics. The company, now part of Cisco, recently discovered a critical flaw in its core product that fundamentally undermines security by allowing anyone with network access to execute commands without authentication. The vulnerability affects Splunk Enterprise versions 10.0.0 through 10.0.6 and 10.2.0 through 10.2.3, with fixes released in versions 10.0.7 and 10.2.4 respectively.


How the Attack Works


The exploitation chain begins with an attacker connecting to an attacker-controlled database and dumping its contents to an arbitrary file using the /backup endpoint. This creates a malicious database dump that serves as the attack payload. The attacker then uses the /restore endpoint to load this dump into Splunk's local PostgreSQL instance by specifying a passfile argument pointing to the postgres_admin credentials file.


Once the malicious database dump is restored, SQL queries embedded within it execute automatically on Splunk's PostgreSQL instance. The attacker weaponizes this by defining a custom function using lo_export, a PostgreSQL function designed to extract data from the database and write it to the file system. This gives the attacker an arbitrary file write primitive on the Splunk server.


Path to Remote Code Execution


With the ability to write files anywhere on the Splunk system, attackers escalate to full remote code execution by overwriting Python scripts that Splunk regularly executes. A prime target is /opt/splunk/etc/apps/splunk_secure_gateway/bin/ssg_enable_modular_input.py. By replacing this script with malicious code, attackers gain command execution with Splunk's privileges whenever the script runs.


Security researchers from watchTowr Labs who disclosed the technical details demonstrated creating a database dump template that provides controlled file write capabilities. The entire attack requires no authentication and can be executed remotely from any system with network access to the vulnerable endpoint.


Affected Versions and Patches


  • Splunk Enterprise 10.0.0 to 10.0.6 requires upgrade to 10.0.7

  • Splunk Enterprise 10.2.0 to 10.2.3 requires upgrade to 10.2.4

  • Splunk Enterprise 10.4 is not vulnerable

  • Splunk Cloud deployments are not affected due to architectural differences in how PostgreSQL is deployed


Urgency for Organizations


While there has been no confirmed exploitation in the wild, the detailed technical information released by security researchers significantly increases the likelihood of threat actors attempting exploitation. The unauthenticated nature of the attack and its severity make patching an immediate priority for any organization running vulnerable Splunk Enterprise instances. Organizations should treat this as a critical security incident requiring swift remediation across all affected deployments.


Sources


  • https://thehackernews.com/2026/06/critical-splunk-enterprise-flaw-lets.html

  • https://www.linkedin.com/posts/netmanageit_critical-splunk-enterprise-flaw-lets-attackers-activity-7471554642238197761-1s42

  • https://www.socdefenders.ai/item/39fd80f0-b5e7-4aad-ba12-b1c208076a03

  • https://x.com/TheCyberSecHub/status/2065792606316183693

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page