Splunk Enterprise CVE-2026-20253 Exploited Within Eight Days of Disclosure — CISA Adds to KEV Catalog With Three-Day Federal Deadline

CISA added Splunk Enterprise CVE-2026-20253 to its Known Exploited Vulnerabilities catalog on June 18 and gave federal agencies a three-day patch deadline, after WatchTowr researchers published working proof-of-concept remote code execution code on June 12 and in-the-wild exploitation was confirmed just eight days after Splunk's initial disclosure. The flaw allows unauthenticated attackers to create or truncate arbitrary files by invoking a PostgreSQL sidecar service endpoint that performs zero application-level authentication — with WatchTowr extending this into full RCE against Splunk Enterprise 10.2 and 10.0. This is the first Splunk vulnerability ever added to CISA's KEV catalog, putting Splunk deployments in the same remediation tier as actively exploited nation-state tools. Note: this is a distinct flaw from the previously covered Splunk AI Toolkit CVE-2026-20266.