{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-20204/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-20204"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Splunk Enterprise","Splunk Cloud Platform"],"_cs_severities":["critical"],"_cs_tags":["splunk","rce","cve-2026-20204"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eCVE-2026-20204 is a remote code execution vulnerability affecting Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127. This vulnerability allows a low-privileged user, without \u003ccode\u003eadmin\u003c/code\u003e or \u003ccode\u003epower\u003c/code\u003e roles, to execute arbitrary code on the Splunk instance. The root cause is improper handling and insufficient isolation of temporary files within the \u003ccode\u003e$SPLUNK_HOME/var/run/splunk/apptemp\u003c/code\u003e directory, enabling a malicious actor to upload and execute a crafted file. Exploitation could lead to complete system compromise, data exfiltration, or disruption of Splunk services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA low-privileged user authenticates to the Splunk web interface.\u003c/li\u003e\n\u003cli\u003eThe user crafts a malicious file (e.g., a Python script or executable) designed to execute arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe user uploads the malicious file to the \u003ccode\u003e$SPLUNK_HOME/var/run/splunk/apptemp\u003c/code\u003e directory, potentially through a vulnerable endpoint or feature that permits file uploads.\u003c/li\u003e\n\u003cli\u003eSplunk's internal processes improperly handle the uploaded file due to insufficient validation or sanitization.\u003c/li\u003e\n\u003cli\u003eThe uploaded file is executed within the context of the Splunk instance, leveraging the permissions of the Splunk user.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote code execution, allowing them to execute commands on the underlying operating system.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by creating a scheduled task or modifying system files.\u003c/li\u003e\n\u003cli\u003eThe attacker pivots to other systems on the network, leveraging the compromised Splunk instance as a foothold.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-20204 allows a low-privileged user to gain full control over the Splunk instance. This could lead to sensitive data being exposed, including logs, configurations, and user credentials. Attackers could also use the compromised Splunk instance to launch attacks against other systems within the organization's network, potentially resulting in widespread damage and disruption. The vulnerability has a CVSS v3.1 base score of 7.1, indicating a high severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Splunk Enterprise to version 10.2.1, 10.0.5, 9.4.10, or 9.3.11 or later to patch CVE-2026-20204.\u003c/li\u003e\n\u003cli\u003eUpgrade Splunk Cloud Platform to version 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, or 9.3.2411.127 or later to patch CVE-2026-20204.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events within the \u003ccode\u003e$SPLUNK_HOME/var/run/splunk/apptemp\u003c/code\u003e directory for suspicious file names or content using the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies to limit file upload capabilities and restrict access to the \u003ccode\u003e$SPLUNK_HOME/var/run/splunk/apptemp\u003c/code\u003e directory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-splunk-rce/","summary":"A low-privileged user can achieve remote code execution in vulnerable Splunk Enterprise and Cloud Platform versions by uploading a malicious file to the `$SPLUNK_HOME/var/run/splunk/apptemp` directory.","title":"Splunk Remote Code Execution Vulnerability (CVE-2026-20204)","url":"https://feed.craftedsignal.io/briefs/2024-01-splunk-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Cve-2026-20204","version":"https://jsonfeed.org/version/1.1"}