CISA ordered all Federal Civilian Executive Branch agencies Thursday to patch CVE-2026-20253 in Splunk Enterprise by June 21, citing confirmed in-the-wild exploitation of a 9.8-severity flaw that lets unauthenticated attackers create or truncate arbitrary files, and under certain conditions, execute arbitrary code.
The flaw, documented in Splunk’s security advisory SVD-2026-0603, affects Splunk Enterprise versions 10.0.0 through 10.0.6 and 10.2.0 through 10.2.3. The root cause: the PostgreSQL sidecar service endpoint doesn’t enforce authentication controls, so any network-reachable user can invoke file operations without credentials. WatchTowr published proof-of-concept exploit code on June 12, days after Splunk’s initial patch release. Splunk confirmed limited active exploitation on June 18 and updated its advisory the same day.
Shadowserver tracks more than 1,400 internet-exposed Splunk instances, with 952 in North America and 223 in Europe. The number vulnerable to active attacks is unknown.
CISA’s order comes under Binding Operational Directive 26-04, issued last week, which requires agencies to prioritize patching based on exploitation risk. CVE-2026-20253 qualifies: an internet-exposed system, actively exploited, with a public proof-of-concept. Agencies have until Sunday.
Admins who can’t patch before Sunday face a hard trade-off. Splunk’s own mitigation, disabling the PostgreSQL sidecar service, also takes down Edge Processor, OpAmp, and SPL2 data pipelines. Those are the same components many federal security operations centers rely on to aggregate real-time telemetry. Patching a SIEM under a short-fuse mandate is exactly the scenario BOD 26-04 was designed to force, not accommodate.
Fixed versions are 10.2.4 and 10.0.7. The June 21 deadline is Sunday.
James Okafor