Critical Splunk Enterprise vulnerability is now getting exploited
A Posgres sidecar service endpoint lacks authentication controls. Whoops.
Splunk
A critical vulnerability in many versions of Splunk Enterprise lets “any network-reachable user invoke file operations without credentials.”
It’s now being exploited in the wild, CISA confirmed today (June 18.)
The SIEM/security log provider – bought by Cisco for $28 billion in 2024 – has allocated the vulnerability CVE-2026-20253 (CVSS 9.8.) on June 10.
The bug does NOT affect Splunk Cloud, e.g Splunk on AWS, it said in a security advisory update on June 12, contrary to its initial June 10 report.
The bug is due to a PostgreSQL sidecar service endpoint that “lacks authentication controls.” Postgres Sidecars are not used in Splunk Cloud.
The vunerable sidecar in question is used for enhanced data management in Splunk Enterprise.
Reversing the patch, the perennially hyperactive attack surface management firm watchTowr commented on June 12: “Why does Splunk appear to accept literally any username in the Authorization header? Because, naturally, Splunk has decided that authentication is somebody else's problem…”
Former watchTowr threat intelligence lead Ryan Dewhurst, now running KEVIntel, said his honeypots were showing exploitation efforts from June 16.
He said: “if you cannot immediately upgrade to a fixed version, you can mitigate this vulnerability by disabling the PostgreSQL sidecar service.”
Splunk Enterprise is used to collate logs and data from every corner of IT estates. ("Collect and ingest data from thousands of sources and counting, all at terabyte scale", boasts Splunk.)
Compromising that kind of environment would be enticing for attackers.
Exposing the Splunk Enterprise admin interface (by defaultSplunk Web on port 8000 of the host it's installed on) directly to the public internet is a severe security risk and violates basic security practices.
As Splunk advises in its documentation for the product: "Where possible, use a firewall to restrict access to Splunk Web, management, and data ingestion ports. Keep Splunk Enterprise components inside that network firewall.
"Where possible, have any remote Splunk Enterprise users access the deployment through a virtual private network.
Its installation guidelines encourage users to "protect Splunk Enterprise from physical and network attacks in the following ways:
- Restrict CLI security by restricting this port to local calls only, from behind a host firewall.
- Unless necessary, do not allow access to forwarders on any network port. Additionally, you can enable enhanced forwarder management network port protection. See Configure universal forwarder management security.
- Where applicable, enable TLS certificate host name validation between individual machines in a Splunk Enterprise deployment. See Configure TLS certificate host name validation for secured connections between Splunk software components.
- Install Splunk Enterprise on an isolated network segment that only trustworthy machines can access."
Users should upgrade Splunk Enterprise to versions 10.4.0, 10.2.4 and 10.0.7, or higher. Splunk Enterprise versions 9.4 and earlier are not affected. CISA's advisory as ever was threadbare and The Stack could not immediately confirm how many Splunk Enterprise instances were publicly exposed.