CISA orders Splunk patch by Sunday after active exploits

CVE-2026-20253 Splunk – CISA says a critical Splunk Enterprise flaw tracked as CVE-2026-20253 is already being exploited in attacks. Federal agencies are required to patch by Sunday under Binding Operational Directive 26-04, while Splunk warns of remote abuse and offers a mitigation

CISA moved fast once it confirmed what security teams feared: threat actors are actively abusing a critical flaw in Splunk Enterprise, and federal agencies don’t have long to close the gap. The deadline is Sunday.

The issue is tracked as CVE-2026-20253 and impacts Splunk Enterprise versions 10.2.0 to 10.2.3 and 10.0.0 to 10.0.6. The vulnerability allows remote attackers without privileges to create or truncate arbitrary files on vulnerable devices. The mechanism runs through a PostgreSQL sidecar service endpoint.

Splunk’s own security team tied the problem to a specific weakness: the PostgreSQL sidecar service endpoint lacks authentication controls. As a result, any network-reachable user can invoke file operations without credentials.

The timeline has been tightening for weeks. On June 12—days after Splunk released security patches—WatchTowr published a technical write-up. shared proof-of-concept exploit code. and warned that the flaw could be used for remote code execution attacks. Then, on Wednesday, June 18, Splunk updated its advisory and pushed customers harder, citing evidence of in-the-wild exploitation.

Splunk said its Splunk Product Security Incident Response Team (PSIRT) “became aware of limited exploitation of this vulnerability” in June 2026. It “strongly recommends that customers upgrade to a fixed software release to remediate this vulnerability.”

As the public chatter grew louder, defenders struggled to quantify the scope. Shadowserver tracks more than 1,400 Internet-exposed Splunk instances, most located in North America (952) and Europe (223). Yet there is no information available on how many of those exposed systems are actually vulnerable to CVE-2026-20253 and being targeted.

That uncertainty is exactly where the pressure now lands. On Thursday, CISA confirmed that threat actors are actively abusing CVE-2026-20253 in attacks. The agency ordered Federal Civilian Executive Branch (FCEB) agencies to patch their Splunk instances by Sunday. citing Binding Operational Directive (BOD) 26-04.

BOD 26-04, issued last week, tells agencies to prioritize patching based on a vulnerability’s risk of exploitation. CISA said this vulnerability is a frequent attack vector and carries “significant risks to the federal enterprise.” It also emphasized that stakeholders are responsible for evaluating each asset’s internet exposure and following the BOD 26-04 patching guidelines.

Splunk also provided mitigation steps for administrators who can’t patch immediately. The company advised them to disable the PostgreSQL sidecar service to remove the attack surface. But that warning came with a cost: disabling PostgreSQL would break Edge Processor. OpAmp. or SPL2 data pipelines on affected instances.

That tradeoff—between stopping an active attack path and keeping critical pipelines alive—has become the real choice facing teams watching dashboards on tight timelines. With CISA’s deadline now set and proof-of-concept code already in circulation. the next question is less about whether the flaw exists and more about how quickly vulnerable systems can be brought under control before attackers make full use of it.

CISA Splunk CVE-2026-20253 Splunk Enterprise cybersecurity vulnerability exploitation BOD 26-04 federal agencies PostgreSQL sidecar mitigation