Your SIEM just became the attack vector. Splunk Enterprise CVE-2026-20253 is CVSS 9.8 and actively exploited.

Splunk Enterprise has a CVSS 9.8 authentication bypass.

Unauthenticated. No credentials. No user interaction.

Attackers are writing arbitrary files to your SIEM server right now.

CVE-2026-20253 lives in the PostgreSQL sidecar service endpoint. It lacks authentication controls entirely. Any network-reachable attacker can invoke file operations without credentials. Researchers at WatchTowr published a working exploit chain two days after disclosure. Splunk confirmed active exploitation on June 18. CISA added it to the KEV catalog the same day and gave federal agencies three days to patch.

Here is what makes this catastrophic: Splunk is the platform your SOC team uses to detect attacks. If an attacker controls your SIEM, they can suppress alerts, delete evidence, and operate with near-total impunity. The tool you built your detection stack around just became the blind spot.

Affected versions: Splunk Enterprise 10.0.0 through 10.0.6 and 10.2.0 through 10.2.3. Patches: 10.0.7 and 10.2.4. Splunk Cloud is not affected. If you cannot patch immediately, disable the PostgreSQL sidecar service by adding [postgres] disabled = true to server.conf.

Audit your Splunk deployment today. If you are running an affected version on-prem with network exposure, assume you are already a target. This is the first Splunk vulnerability ever added to CISA's KEV catalog. That should tell you everything about the severity.

SOURCE: https://advisory.splunk.com/advisories/SVD-2026-0603
VERIFIED: Splunk advisory SVD-2026-0603, CISA KEV catalog June 18 2026, SecurityWeek June 19 2026
SIGNAL: The platform enterprises trust for security visibility just became a pre-auth attack surface. Patch now or accept that your SOC is flying blind.