CISA added CVE-2026-20253 to the KEV (Known Exploited Vulnerabilities) catalogue on 18 June with a 21 June federal deadline 1. It is the first flaw in Splunk Enterprise ever to reach the catalogue. CISA's KEV list flags vulnerabilities confirmed as actively exploited; Splunk had never featured before. The bug is an unauthenticated missing-authentication flaw in a PostgreSQL (an open-source database) sidecar service, and it lets an attacker on the network create or truncate arbitrary files without logging in 2. WatchTowr Labs, a Singapore-based offensive research firm, published a working exploit and chained it into pre-auth RCE (Remote Code Execution). Splunk patched on 10 June in versions 10.2.4 and 10.0.7, then confirmed active exploitation eight days later 3.
Most KEV entries this year have been perimeter boxes: firewalls, VPN gateways, edge appliances. Splunk is different. It is the SIEM (Security Information and Event Management) platform that most large SOCs (security operations centres) run to see attacks at all. An intruder who can truncate Splunk's index and alert files before the main intrusion holds a detection-evasion primitive built into the tool defenders watch through. The alarm can be silenced from inside the alarm system before anyone trips it.
The same logic ran through CL-STA-1132, the state-sponsored cluster that destroyed PAN-OS forensic logs to erase its own tracks . Blind the defender, then move. May's Patch Tuesday shipped 120 fixes with no zero-days and read, briefly, like calm . June then produced six Microsoft zero-days and the first Splunk KEV inside a single fortnight, and the position of this one in the kill chain is what marks it out. A perimeter zero-day grants entry; an unauthenticated write on the SIEM grants invisibility, which is worth more to a patient intruder than another foothold.
