Splunk Enterprise Authentication Bypass Vulnerability

Blog

Byadmblake June 30, 2026

What is the Attack? A critical authentication bypass vulnerability, CVE-2026-20253 (CVSS 9.8), affects Splunk Enterprise versions 10.0.x and 10.2.x. The flaw stems from missing authentication on a PostgreSQL sidecar service endpoint, allowing an unauthenticated attacker to create or truncate arbitrary files on a vulnerable server. Security researchers have demonstrated that the vulnerability can be leveraged…

What is the Attack?

A critical authentication bypass vulnerability, CVE-2026-20253 (CVSS 9.8), affects Splunk Enterprise versions 10.0.x and 10.2.x. The flaw stems from missing authentication on a PostgreSQL sidecar service endpoint, allowing an unauthenticated attacker to create or truncate arbitrary files on a vulnerable server.

Security researchers have demonstrated that the vulnerability can be leveraged toward pre-authentication remote code execution (RCE) under certain conditions, and active exploitation has been confirmed. The vulnerability has been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog, making it a high-priority patching target for organizations running exposed Splunk Enterprise instances.

An attacker who successfully exploits CVE-2026-20253 may be able to:

• Create or truncate arbitrary files on the target server.

• Bypass authentication protections.

• Potentially achieve pre-authentication remote code execution.

• Disrupt Splunk services.

What is the recommended Mitigation?

Affected:

Splunk Enterprise 10.2 prior to 10.2.4

Splunk Enterprise 10.0 prior to 10.0.7

Upgrade to:

Splunk Enterprise 10.2.4 or later

Splunk Enterprise 10.0.7 or later

If immediate patching is not possible:

• Disable the PostgreSQL sidecar service as recommended by Splunk.

• Restrict network access to Splunk management interfaces.

• Monitor for unexpected file creation or service behavior.

• Review logs for suspicious unauthenticated access attempts.

What FortiGuard Coverage is available?

• FortiGuard IPS provides protection against exploit attempts targeting vulnerable services.

• FortiGuard Web Filtering blocks access to known malicious infrastructure used during exploitation.

• FortiGuard AntiVirus detects and blocks malware payloads delivered following successful exploitation.

• FortiEDR detects suspicious post-exploitation behavior, including unauthorized file modifications and persistence techniques.

• FortiGuard Incident Response Service assists organizations in investigating and determining the scope of compromise, and supporting remediation efforts following exploitation.

Blog

Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys

Threat actors are exploiting a recently patched security flaw impacting Gravity SMTP, a WordPress plugin that’s installed on about 100,000 sites. The vulnerability, tracked as CVE-2026-4020 (CVSS score: 5.3), is a medium-severity information disclosure flaw that can allow unauthenticated attackers to extract sensitive data, such as configuration data, API keys, secrets, and OAuth tokens

Read More Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys
Blog

Vibe Coding: Innovation Demands Vigilance

Unmanaged coding is indeed an alluring idea, but can introduce a host of significant cybersecurity dangers, Constantine warns.

Read More Vibe Coding: Innovation Demands Vigilance
Blog

UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor

A previously undocumented threat activity cluster has been attributed to an ongoing malicious campaign targeting education and healthcare sectors in the U.S. since at least December 2025. The campaign is being tracked by Cisco Talos under the moniker UAT-10027. The end goal of the attacks is to deliver a never-before-seen backdoor codenamed Dohdoor. “Dohdoor utilizes…

Read More UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor
Blog

Experts Find Shared Codebase Linking Morpheus and HellCat Ransomware Payloads

An analysis of HellCat and Morpheus ransomware operations has revealed that affiliates associated with the respective cybercrime entities are using identical code for their ransomware payloads. The findings come from SentinelOne, which analyzed artifacts uploaded to the VirusTotal malware scanning platform by the same submitter towards the end of December 2024. “These two payload samples…

Read More Experts Find Shared Codebase Linking Morpheus and HellCat Ransomware Payloads
Blog

Desert Dexter Targets 900 Victims Using Facebook Ads and Telegram Malware Links

The Middle East and North Africa have become the target of a new campaign that delivers a modified version of a known malware called AsyncRAT since September 2024. “The campaign, which leverages social media to distribute malware, is tied to the region’s current geopolitical climate,” Positive Technologies researchers Klimentiy Galkin and Stanislav Pyzhov said in…

Read More Desert Dexter Targets 900 Victims Using Facebook Ads and Telegram Malware Links
Blog

CVE Program Cuts Send the Cyber Sector Into Panic Mode

After threatening to slash support for the CVE program, CISA threw MITRE a lifeline at the last minute — extending its government contract for another 11 months. After that, it looks like it’s up to the private sector to find the cash to keep it going.

Read More CVE Program Cuts Send the Cyber Sector Into Panic Mode

Related