Splunk Under Attack: CVE-2026-20253 with CVSS 9.8 Becomes SOC's Nightmare After CISA Deadline Expires
Pre-authentication flaw in the PostgreSQL sidecar of Splunk Enterprise is being exploited in attacks. CISA's deadline expired on Sunday, June 21, and the watchTowr exploit is already in circulation.
The deadline set by the Cybersecurity and Infrastructure Security Agency (CISA) for U.S. federal agencies to patch CVE-2026-20253 in Splunk Enterprise expired on Sunday, June 21, 2026. The vulnerability, with a CVSS score of 9.8, allows for arbitrary file creation and truncation via the PostgreSQL sidecar service endpoint without any authentication. When chained with the lo_export primitive of PostgreSQL, it turns into remote code execution (RCE) with Splunk user privileges on any exposed instance.
CISA added the bug to the Known Exploited Vulnerabilities (KEV) catalog on June 18, citing confirmed in-the-wild exploitation and provided only three days for mitigation—a timeframe shorter than the standard two-week period outlined in the Binding Operational Directive 22-01. Splunk had released patches on June 10, but the adoption rate was slow until watchTowr Labs published a functional proof of concept on June 12. Following that, Resecurity's Threat Intel teams reported massive scans and large-scale exploitation attempts.
Where the Flaw Lies
The vulnerable endpoint is part of the PostgreSQL service that handles backup and recovery of Splunk's internal database. According to official notice SVD-2026-0603, versions 10.2.0 to 10.2.3 and 10.0.0 to 10.0.6 are exposed; the fixes are in builds 10.4.0, 10.2.4, and 10.0.7. "Why use application-level authentication when the whole database already has its own?" quipped watchTowr in their technical write-up, describing the lack of checks as an architectural oversight that persisted up to version 10.
The PostgreSQL sidecar can be disabled as a temporary mitigation, but Splunk warns that backup features become unavailable. For Splunk Cloud customers, the company claims to have applied the patch automatically.
The Target is the Heart of the SOC
Unlike a common endpoint flaw, this RCE hits the Security Operations Center. Splunk is the SIEM engine in more than half of the Fortune 500 financial institutions and in telecom carriers across virtually all markets that matter to the European and Asian B2B sectors. Compromising Splunk not only allows code execution but can erase audit trails, alter detection rules, and blind the incident response team during the next attack.
For Caitlin Condon, head of vulnerability research at Rapid7, the scenario is especially dangerous when the attacker is already inside the perimeter. "Pre-authentication is the worst case, but the real impact is on those who use Splunk as a linchpin of forensic reliability. If the SIEM goes down, the investigation follows suit," she stated in an interview published by Help Net Security on June 19.
Cross-Reading: What Changes for CIOs and CISOs Beyond the U.S.
The KEV catalog from CISA only mandates U.S. federal agencies, but it serves as a global signal. In the UK, the NCSC typically aligns equivalent alerts within 48 hours, and critical infrastructure operators in Germany must report mitigations to the BSI under NIS2. Brazilian banks running Splunk on-prem for fraud monitoring operations face the same scenario, exacerbated by the fact that Brazil lacks federal regulatory requirements for patching timelines for critical assets outside the scope of Central Bank Resolution 4,893, which only covers supervised financial institutions.
In India, where Tata Consultancy Services and Infosys operate managed SOCs for a significant portion of the Fortune 500, the exposure window is particularly sensitive: previous reports from Recorded Future indicate that Indian delivery centers host a substantial number of Splunk Enterprise instances running for Western clients. A compromise there means lateral exposure for dozens of organizations simultaneously.
What to Expect in the Coming Days
The combination of a public exploit, low friction for exploitation, and a strategically high-value asset points to escalation. Banks and cloud operators that have yet to apply the patch enter this week with an elevated risk of discovering retroactive intrusions instead of blocking ongoing attacks. The question for the CISO is not whether the system has been scanned in the last 72 hours, but whether the scan has turned into a foothold before the upgrade arrives.