A critical vulnerability in Splunk Enterprise is now being exploited in the wild, and it’s serious enough that the US Cybersecurity and Infrastructure Security Agency (CISA) gave federal agencies just three days to patch it. Tracked as CVE-2026-20253, the flaw carries a near-maximum severity score of 9.8 and lets an attacker reach a Splunk server over the network and create or overwrite files without logging in at all. As reported by SOCRadar, researchers have published working exploit code that chains this into full remote code execution — meaning an attacker can run commands on your server.

Splunk is the log-management and security-monitoring tool sitting at the heart of a lot of mid-sized Australian businesses and the managed providers who support them. That’s what makes this one nasty: a Splunk box usually has deep visibility into your network and often holds sensitive data and credentials. If it’s reachable from the internet — or from a poorly segmented internal network — an unauthenticated attacker can use this flaw as a foothold to disrupt operations, destroy logs (handy for covering tracks), or move deeper into your environment. Under Australia’s tightened Privacy Act, a breach that exposes personal data can also trigger mandatory reporting obligations and real penalties.

If you run Splunk Enterprise, upgrade now to 10.0.7 or 10.2.4 (or later) and treat it as an emergency change, not next month’s patch cycle. Can’t patch straight away? Splunk’s own workaround is to disable the PostgreSQL sidecar service, and you should confirm the Splunk admin interface isn’t exposed to the internet. Then review the host’s logs for unusual file activity.

Not sure whether you’re running Splunk, or whether it’s exposed? That’s exactly the kind of thing a managed provider should be on top of. If you’d like a second set of eyes on your patching and external exposure, our cybersecurity team can help.