<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Splunk Enterprise &lt; 9.0.7 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/splunk-enterprise--9.0.7/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 13:39:13 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/splunk-enterprise--9.0.7/feed.xml" rel="self" type="application/rss+xml"/><item><title>Splunk RCE via User XSLT Exploitation (CVE-2023-46214)</title><link>https://feed.craftedsignal.io/briefs/2026-07-splunk-rce-xslt/</link><pubDate>Fri, 03 Jul 2026 13:39:13 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-splunk-rce-xslt/</guid><description>This brief identifies potential remote code execution (RCE) attempts targeting Splunk servers by exploiting CVE-2023-46214, a vulnerability related to user-supplied Extensible Stylesheet Language Transformations (XSLT) that allows attackers to execute arbitrary code leading to full system compromise.</description><content:encoded><![CDATA[<p>Attackers are targeting Splunk Enterprise and Splunk Cloud Platform instances by exploiting CVE-2023-46214, an issue related to the improper handling of user-supplied Extensible Stylesheet Language Transformations (XSLT). This vulnerability, affecting Splunk Enterprise versions prior to 9.0.7 and 9.1.2, and Splunk Cloud Platform versions prior to 9.0.2308 and 9.1.2308, allows an authenticated user to achieve remote code execution on the underlying Splunk server. The attack typically involves crafting a malicious XSLT payload and submitting it through an interface that processes user-controlled XSLT. Successful exploitation can grant threat actors full control over the Splunk instance, enabling unauthorized data access, system modification, and further lateral movement within the compromised network. Defenders should prioritize patching and monitoring for indicators of attempted exploitation in their <code>splunkd_ui</code> logs.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access / Account Compromise</strong>: An attacker gains access to a valid Splunk user account or identifies a publicly accessible endpoint that processes user-supplied XSLT without proper sanitization.</li>
<li><strong>Malicious XSLT Crafting</strong>: The attacker develops a specialized XSLT file containing malicious code designed to exploit CVE-2023-46214, targeting the Splunk server's underlying operating system.</li>
<li><strong>XSLT Submission</strong>: The malicious XSLT payload is submitted to the vulnerable Splunk instance, typically through an API endpoint or UI feature that accepts XSLT definitions.</li>
<li><strong>Vulnerability Trigger</strong>: The Splunk instance attempts to process the user-supplied XSLT, which triggers the remote code execution vulnerability (CVE-2023-46214).</li>
<li><strong>Code Execution</strong>: The malicious XSLT causes the Splunk server to execute arbitrary commands under the privileges of the Splunk daemon.</li>
<li><strong>Post-Exploitation Actions</strong>: The attacker runs commands on the Splunk server, such as creating new user accounts, deploying backdoors, or executing reconnaissance tools.</li>
<li><strong>Impact</strong>: The attacker proceeds with objectives such as data exfiltration from Splunk indexes, system compromise, or using the Splunk server as a pivot point for lateral movement.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2023-46214 leads to critical consequences for affected organizations. Attackers can achieve full system compromise of the Splunk server, gaining complete control over the application and the underlying host. This allows for unauthorized access to sensitive data stored within Splunk indexes, potentially exfiltrating proprietary information, customer data, or security logs. Furthermore, the compromised Splunk instance can be used as a beachhead for lateral movement across the network, enabling broader attacks and impacting multiple systems. The number of potential victims is significant, as Splunk is widely deployed across various sectors for security and operational intelligence.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately patch all Splunk Enterprise instances to versions 9.0.7 or later, or 9.1.2 or later, and Splunk Cloud Platform instances to versions 9.0.2308 or later, or 9.1.2308 or later to remediate CVE-2023-46214.</li>
<li>Deploy the provided Sigma rule to your SIEM to detect potential exploitation attempts against Splunk instances.</li>
<li>Review <code>splunkd_ui</code> logs for URIs containing <code>NO_BINARY_CHECK=1</code>, <code>input.path=*.xsl</code>, or <code>dispatch*.xsl</code> which could indicate ongoing or attempted exploitation of CVE-2023-46214.</li>
<li>Investigate any detections of the provided Sigma rule, paying close attention to the <code>clientip</code>, <code>useragent</code>, and <code>status</code> fields to determine the nature and source of the activity.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>application</category><category>rce</category><category>splunk</category><category>vulnerability</category></item></channel></rss>