Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
14JUL

Splunk lands its first-ever KEV entry

3 min read
08:46UTC

CISA listed CVE-2026-20253 on 18 June, the first Splunk flaw ever added to the KEV catalogue. Splunk confirmed active exploitation the same day.

TechnologyDeveloping
Key takeaway

Corrupting the detector that security teams rely on outranks compromising one more edge device.

CISA added CVE-2026-20253 to the KEV (Known Exploited Vulnerabilities) catalogue on 18 June with a 21 June federal deadline 1. It is the first flaw in Splunk Enterprise ever to reach the catalogue. CISA's KEV list flags vulnerabilities confirmed as actively exploited; Splunk had never featured before. The bug is an unauthenticated missing-authentication flaw in a PostgreSQL (an open-source database) sidecar service, and it lets an attacker on the network create or truncate arbitrary files without logging in 2. WatchTowr Labs, a Singapore-based offensive research firm, published a working exploit and chained it into pre-auth RCE (Remote Code Execution). Splunk patched on 10 June in versions 10.2.4 and 10.0.7, then confirmed active exploitation eight days later 3.

Most KEV entries this year have been perimeter boxes: firewalls, VPN gateways, edge appliances. Splunk is different. It is the SIEM (Security Information and Event Management) platform that most large SOCs (security operations centres) run to see attacks at all. An intruder who can truncate Splunk's index and alert files before the main intrusion holds a detection-evasion primitive built into the tool defenders watch through. The alarm can be silenced from inside the alarm system before anyone trips it.

The same logic ran through CL-STA-1132, the state-sponsored cluster that destroyed PAN-OS forensic logs to erase its own tracks . Blind the defender, then move. May's Patch Tuesday shipped 120 fixes with no zero-days and read, briefly, like calm . June then produced six Microsoft zero-days and the first Splunk KEV inside a single fortnight, and the position of this one in the kill chain is what marks it out. A perimeter zero-day grants entry; an unauthenticated write on the SIEM grants invisibility, which is worth more to a patient intruder than another foothold.

Deep Analysis

In plain English

Most large organisations use Splunk Enterprise to watch for cyberattacks: it collects log data from thousands of systems and triggers alerts when something suspicious appears. Think of it as the CCTV control room for an organisation's entire digital estate. CVE-2026-20253 is a flaw in a background database process that Splunk runs alongside its main service. An attacker who can reach the network does not need a username or password to exploit it. By writing a malicious file to the right folder, they can force Splunk to load attacker-controlled code when it restarts, blinding the security team's own detection system. CISA added CVE-2026-20253 to its mandatory-patch list on 18 June 2026 with a three-day federal deadline. If your organisation runs Splunk Enterprise on-premises and has not applied the patch shipped on 10 June, treat this as critical.

Deep Analysis
Root Causes

Splunk Enterprise's PostgreSQL sidecar inherits the SIEM's privilege model without the SIEM's security scrutiny. Large enterprise products frequently bundle third-party data services as convenience sidecar processes; these sidecars receive less security review than the primary application and run under the same service account, creating a privilege escalation bridge that bypasses the primary application's authentication layer entirely.

WatchTowr published a working RCE chain for CVE-2026-20253 before CISA listed the CVE on 18 June and before most patch deployment cycles could respond. At 8 days from patch to confirmed exploitation, federal agencies that patched on day 3 still faced active threats from the 5-day window before the KEV listing, a gap the 3-day BOD 26-04 classification cannot close retrospectively.

What could happen next?
  • Risk

    An attacker who compromises Splunk via CVE-2026-20253 can suppress, falsify, or exfiltrate the log pipeline that security teams rely on to detect all other attacks across the estate, creating a detection blind spot that compounds every subsequent incident.

    Immediate · Assessed
  • Consequence

    Cyber insurers who list Splunk as a compensating control for SOC coverage in policy renewals will query whether the control was operative between patch availability (10 June) and confirmed exploitation confirmation (18 June), potentially affecting claims filed for incidents in that window.

    Short term · Reported
  • Opportunity

    Organisations using on-premises Splunk Enterprise now have a documented architectural reason to evaluate migration to Splunk Cloud or to mandate PostgreSQL sidecar network isolation as a configuration baseline, a change that reduces the attack surface regardless of future CVEs in the same component.

    Medium term · Suggested
First Reported In

Update #8 · CISA tears up the KEV deadline rulebook

BleepingComputer· 24 Jun 2026
Read original
Causes and effects
This Event
Splunk lands its first-ever KEV entry
An unauthenticated file-write on the SIEM most large security teams watch through turns the detection platform itself into a hiding place.
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.