CVE-2026-20253
CRITICAL · 9.8 EPSS 1.7%Watchtowr writeup public, active exploitation claimed but unverified; KEV not listed yet; high severity and exposure suggest real campaign emerging.
What: Unauthenticated file create/truncate via unprotected PostgreSQL sidecar endpoint in Splunk Enterprise <10.2.4, 10.0.7 and Splunk Cloud <10.4.2604.3, 10.2.2510.14 (CVSS 9.8 Critical).
Why it matters: CVSS 9.8 critical severity, FOFA shows 94K+ exposed instances. Watchtowr published technical writeup June 13; post #7 claims honeypot detection of active exploitation attempts as of June 15. Not yet KEV-listed but pre-auth RCE chain documented and public PoC imminent.
Where it's seen: Security researchers, FOFA asset search, threat intel feeds, and Splunk-focused practitioners discussing urgent patching. Claims of active scanning and exploitation attempts in honeypots. No major vendor advisory yet visible in posts.
RISK: CRITICAL — CVSS 9.8, 94K exposed assets, documented RCE chain, claimed active exploitation in honeypots.
Description
In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.3 and 10.2.2510.14, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.<br><br>The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials.
CVSS 3.1 breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H- Attack vector
- Network
- Complexity
- Low
- Privileges required
- None
- User interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- High