Cyber Threat Brief — June 14 2026
⚠️ This report is AI-generated. Always validate findings.
1. Splunk Enterprise Pre-Auth RCE via PostgreSQL Sidecar — CVE-2026-20253
TL;DR: watchTowr published a full pre-auth RCE exploit chain for Splunk Enterprise 10.x on June 12-13. The PostgreSQL Sidecar Service lacks authentication and is enabled by default on AWS deployments — any network-reachable attacker gets arbitrary file write to code execution as splunk user.
What’s New:
- CVSS 9.8 — unauthenticated arbitrary file creation/truncation + RCE chain via
/v1/postgres/recovery/backupand/restoreendpoints - PostgreSQL Sidecar installed by default on AWS; installed but disabled on manual Linux; not installed on Windows
- Exploitation chain: backup endpoint dumps attacker-controlled remote DB → restore endpoint replays SQL via
pg_restore→lo_export()function writes arbitrary files → overwritessg_enable_modular_input.pyfor code exec - Credentials for local PostgreSQL found in cleartext at
/opt/splunk/var/packages/data/postgres/.pgpass - watchTowr Detection Artefact Generator (DAG) on GitHub — probes
/v1/postgres/recovery/backupfor 400 vs 401 response - No ITW exploitation confirmed yet, but full weaponization path is public
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup | URI | T1190 | Web proxy / Splunk internal logs | Block external access; alert on any hit |
POST /en-US/splunkd/__raw/v1/postgres/recovery/restore | URI | T1190 | Web proxy / Splunk internal logs | Block external access; alert on any hit |
Authorization: Basic Og== (empty creds) | HTTP Header | T1078.001 | Web proxy | Alert on empty Basic auth to Splunk |
/opt/splunk/var/packages/data/postgres/.pgpass | File access | T1552.001 | auditd / Splunk file integrity | Monitor reads by non-splunk processes |
ssg_enable_modular_input.py modification | File write | T1059.006 | Splunk file integrity / auditd | Alert on unexpected writes to Splunk app bins |
hostaddr= in database param | Payload pattern | T1071.001 | Splunk internal_logs / _audit | Hunt for connection string injection |
| Port 5435 (PostgreSQL Sidecar) | Network | T1190 | Firewall / netflow | Ensure not exposed externally |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | CRITICAL gap — no ESCU rule for PostgreSQL Sidecar abuse. Need: web proxy rule for /v1/postgres/recovery/ URI pattern; file integrity rule for .pgpass read; Python script overwrite detection |
| Elastic | None | No coverage for Splunk-specific sidecar exploitation |
| Sigma | None | No rule exists for PostgreSQL sidecar endpoint abuse |
Sources: watchTowr Labs full writeup · Splunk Advisory SVD-2026-0603 · watchTowr DAG on GitHub · The Hacker News
Status Updates
- CVE-2026-10520 (Ivanti Sentry): CISA KEV federal deadline TODAY June 14. Post-patch exploitation ongoing per Shadowserver; at least 2 of 19 vulnerable instances confirmed backdoored. WatchTowr PoC and detection script remain public. Previous brief.
- CVE-2026-35273 (Oracle PeopleSoft): CISA KEV added June 12, federal deadline July 3. ShinyHunters/UNC6240 exploitation ongoing against higher education. 100+ orgs notified. Previous brief.
- CVE-2026-47281 / GreatXML (Windows Defender/BitLocker): Both remain UNPATCHED zero-days. Defender definition 1.453.20.0 detects RoguePlanet PoC but does not fix underlying vuln. GreatXML BitLocker bypass requires no fix timeline from Microsoft. Previous brief.