### Critical Splunk Vulnerability Exploited In The Wild **CISA** has alerted federal agencies to a critical security vulnerability in **Splunk Enterprise**, identified as **CVE-2026-20253**. This flaw is actively being exploited, prompting an urgent call for federal agencies to secure their systems by Sunday. The vulnerability impacts **Splunk Enterprise** versions 10.2.0 to 10.2.3 and 10.0.0 to 10.0.6. It stems from a lack of authentication controls in the **PostgreSQL** sidecar service endpoint, enabling unprivileged remote attackers to create or truncate arbitrary files on vulnerable devices. ### The Path to Exploitation **Splunk**'s security team initially disclosed the flaw, noting that "the **PostgreSQL** sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials." Days after **Splunk** released patches, security firm **WatchTowr** published a technical write-up and proof-of-concept exploit code on June 12. They warned that the vulnerability could be leveraged for remote code execution (**RCE**) attacks. By June 18, **Splunk** updated its advisory, confirming evidence of in-the-wild exploitation and strongly recommending customers upgrade to fixed software releases. ### Widespread Exposure and CISA's Directive The internet security watchdog **Shadowserver** tracks over 1,400 internet-exposed **Splunk** instances, with the majority located in North America (952) and Europe (223). The exact number of these instances vulnerable to active exploitation of **CVE-2026-20253** remains unclear.  On Thursday, **CISA** officially added **CVE-2026-20253** to its Known Exploited Vulnerabilities Catalog. Under Binding Operational Directive (**BOD**) 26-04, **CISA** has mandated that Federal Civilian Executive Branch (**FCEB**) agencies patch their affected **Splunk** instances by Sunday. **CISA** emphasized the severity, stating, "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise." The directive requires stakeholders to assess their assets' internet exposure and comply with **BOD** 26-04 patching guidelines. ### Mitigation Strategies For administrators unable to immediately apply patches, **Splunk** has provided mitigation measures. Disabling the **PostgreSQL** sidecar service can remove the attack surface. However, this action comes with a significant caveat: it will break **Edge Processor**, **OpAmp**, or **SPL2** data pipelines on affected instances. Organizations must weigh the operational impact against the immediate security risk when considering this workaround.