Splunk Enterprise Zero-Day Exploited in Attacks Days After Disclosure

A critical vulnerability in Splunk Enterprise, tracked as CVE-2026-20253, is being actively exploited in the wild just days after its public disclosure. The flaw allows unauthenticated remote code execution, putting organizations at immediate risk of full system compromise.

CISA has given federal agencies only three days to patch the vulnerability, underscoring its severity. While a CVSS score was not disclosed in available reporting, the agency's emergency directive signals a high threat level. Active exploitation has been confirmed, though the full scale of affected systems remains unclear.

The attack vector enables remote attackers to execute arbitrary code without authentication. Exploit mechanisms and indicators of compromise have not been detailed in the sources, but the rapid exploitation timeline suggests proof-of-concept code or exploit details may have circulated quickly within threat actor communities.

Splunk has released a security update to address CVE-2026-20253. Organizations are urged to apply the patch immediately. No workarounds have been published, and the three-day deadline for federal agencies leaves little room for alternative mitigation.

Attribution for the attacks has not been disclosed. The incident highlights the shrinking window between disclosure and exploitation, as threat actors increasingly weaponize vulnerabilities faster than organizations can patch.