{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3asplunkcloud/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:splunk:cloud:*:*:*:*:*:*:*:*","cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*"],"_cs_cves":[{"cvss":8,"id":"CVE-2023-46214"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Splunk Enterprise \u003c 9.0.7","Splunk Enterprise \u003c 9.1.2","Splunk Cloud Platform \u003c 9.0.2308","Splunk Cloud Platform \u003c 9.1.2308"],"_cs_severities":["critical"],"_cs_tags":["application","rce","splunk","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eAttackers are targeting Splunk Enterprise and Splunk Cloud Platform instances by exploiting CVE-2023-46214, an issue related to the improper handling of user-supplied Extensible Stylesheet Language Transformations (XSLT). This vulnerability, affecting Splunk Enterprise versions prior to 9.0.7 and 9.1.2, and Splunk Cloud Platform versions prior to 9.0.2308 and 9.1.2308, allows an authenticated user to achieve remote code execution on the underlying Splunk server. The attack typically involves crafting a malicious XSLT payload and submitting it through an interface that processes user-controlled XSLT. Successful exploitation can grant threat actors full control over the Splunk instance, enabling unauthorized data access, system modification, and further lateral movement within the compromised network. Defenders should prioritize patching and monitoring for indicators of attempted exploitation in their \u003ccode\u003esplunkd_ui\u003c/code\u003e logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access / Account Compromise\u003c/strong\u003e: An attacker gains access to a valid Splunk user account or identifies a publicly accessible endpoint that processes user-supplied XSLT without proper sanitization.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious XSLT Crafting\u003c/strong\u003e: The attacker develops a specialized XSLT file containing malicious code designed to exploit CVE-2023-46214, targeting the Splunk server's underlying operating system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eXSLT Submission\u003c/strong\u003e: The malicious XSLT payload is submitted to the vulnerable Splunk instance, typically through an API endpoint or UI feature that accepts XSLT definitions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Trigger\u003c/strong\u003e: The Splunk instance attempts to process the user-supplied XSLT, which triggers the remote code execution vulnerability (CVE-2023-46214).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Execution\u003c/strong\u003e: The malicious XSLT causes the Splunk server to execute arbitrary commands under the privileges of the Splunk daemon.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePost-Exploitation Actions\u003c/strong\u003e: The attacker runs commands on the Splunk server, such as creating new user accounts, deploying backdoors, or executing reconnaissance tools.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact\u003c/strong\u003e: The attacker proceeds with objectives such as data exfiltration from Splunk indexes, system compromise, or using the Splunk server as a pivot point for lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2023-46214 leads to critical consequences for affected organizations. Attackers can achieve full system compromise of the Splunk server, gaining complete control over the application and the underlying host. This allows for unauthorized access to sensitive data stored within Splunk indexes, potentially exfiltrating proprietary information, customer data, or security logs. Furthermore, the compromised Splunk instance can be used as a beachhead for lateral movement across the network, enabling broader attacks and impacting multiple systems. The number of potential victims is significant, as Splunk is widely deployed across various sectors for security and operational intelligence.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch all Splunk Enterprise instances to versions 9.0.7 or later, or 9.1.2 or later, and Splunk Cloud Platform instances to versions 9.0.2308 or later, or 9.1.2308 or later to remediate CVE-2023-46214.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect potential exploitation attempts against Splunk instances.\u003c/li\u003e\n\u003cli\u003eReview \u003ccode\u003esplunkd_ui\u003c/code\u003e logs for URIs containing \u003ccode\u003eNO_BINARY_CHECK=1\u003c/code\u003e, \u003ccode\u003einput.path=*.xsl\u003c/code\u003e, or \u003ccode\u003edispatch*.xsl\u003c/code\u003e which could indicate ongoing or attempted exploitation of CVE-2023-46214.\u003c/li\u003e\n\u003cli\u003eInvestigate any detections of the provided Sigma rule, paying close attention to the \u003ccode\u003eclientip\u003c/code\u003e, \u003ccode\u003euseragent\u003c/code\u003e, and \u003ccode\u003estatus\u003c/code\u003e fields to determine the nature and source of the activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T13:39:13Z","date_published":"2026-07-03T13:39:13Z","id":"https://feed.craftedsignal.io/briefs/2026-07-splunk-rce-xslt/","summary":"This brief identifies potential remote code execution (RCE) attempts targeting Splunk servers by exploiting CVE-2023-46214, a vulnerability related to user-supplied Extensible Stylesheet Language Transformations (XSLT) that allows attackers to execute arbitrary code leading to full system compromise.","title":"Splunk RCE via User XSLT Exploitation (CVE-2023-46214)","url":"https://feed.craftedsignal.io/briefs/2026-07-splunk-rce-xslt/"}],"language":"en","title":"CraftedSignal Threat Feed - Cpe:2.3:a:splunk:cloud:*:*:*:*:*:*:*:*","version":"https://jsonfeed.org/version/1.1"}