Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication

Key Points:

• A critical vulnerability (CVE-2026-20253) in Splunk Enterprise allows unauthenticated users to perform file operations and achieve remote code execution.
• The flaw affects Splunk Enterprise versions below 10.2.4 and 10.0.7, enabling attackers to exploit PostgreSQL sidecar service endpoints for arbitrary file writes, potentially leading to code execution.
• Immediate action is required: users should update to the latest versions of Splunk Enterprise to mitigate this risk.

Technical Details: CVE-2026-20253 has a CVSS score of 9.8, indicating high severity. Attackers can exploit the vulnerability through specific PostgreSQL endpoints ("/v1/postgres/recovery/backup" and "/v1/postgres/recovery/restore") to execute arbitrary code by overwriting critical Python scripts.

MITRE ATT&CK Techniques:

• T1203 - Exploit Public-Facing Application (Initial Access)
• T1068 - Exploitation for Client Execution (Execution)

IOCs Mentioned: None mentioned