Critical Oracle WebLogic Server Vulnerability (CVE-2024-21182) Actively Exploited The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-21182, a critical vulnerability in Oracle WebLogic Server, to its Known Exploited Vulnerabilities (KEV) catalog on June 1, 2026, following confirmed in-the-wild exploitation. The flaw affects Oracle WebLogic Server, a widely deployed enterprise Java application server used in both cloud and on-premise environments. The vulnerability is classified as an unauthenticated remote code execution (RCE) flaw, allowing attackers to exploit it without authentication via WebLogic’s T3 or IIOP protocols, which are commonly used for internal application communication. Successful exploitation could enable threat actors to bypass authentication controls, access sensitive data, or fully compromise affected systems, potentially leading to lateral movement, data exfiltration, or deployment of malicious payloads such as web shells or remote access trojans. While no specific threat actors or ransomware groups have been publicly attributed to these attacks, security researchers warn that the vulnerability could be rapidly adopted in financially motivated campaigns, given WebLogic’s history as a frequent target in ransomware intrusion chains. CISA has mandated federal agencies to remediate the vulnerability by June 4, 2026, under Binding Operational Directive 22-01. Organizations are advised to apply Oracle’s official patches immediately or implement mitigation measures, such as isolating affected systems, restricting access to T3/IIOP protocols, and enforcing network segmentation. Continuous monitoring for unusual traffic patterns or unauthorized access attempts is also recommended to detect early signs of compromise. The incident highlights the ongoing risks posed by unpatched enterprise middleware and the need for proactive vulnerability management to defend critical infrastructure.

Critical Splunk Enterprise Vulnerability (CVE-2026-20253) Exposes Systems to Unauthenticated RCE Security researchers have disclosed a critical vulnerability in Splunk Enterprise, tracked as CVE-2026-20253, which allows unauthenticated attackers to execute arbitrary code on vulnerable systems. The flaw, rated 9.8 (CVSS), affects Splunk’s widely used SIEM and data analytics platform, posing severe risks to enterprises that rely on it for security monitoring and operational visibility. ### Vulnerability Details The flaw resides in a PostgreSQL sidecar service within Splunk Enterprise, which lacks proper authentication controls. Attackers can exploit this to perform arbitrary file operations, including creating, modifying, or deleting files potentially leading to remote code execution (RCE). Affected Versions: - Splunk Enterprise 10.0.0–10.0.6 - Splunk Enterprise 10.2.0–10.2.3 Patched Versions: - Splunk Enterprise 10.0.7 - Splunk Enterprise 10.2.4 - Splunk Enterprise 10.4 (unaffected) - Splunk Cloud (unaffected, as it does not use the vulnerable PostgreSQL sidecar) ### Exploitation Mechanism Researchers at watchTowr Labs demonstrated how attackers can chain two vulnerable endpoints `/v1/postgres/recovery/backup` and `/v1/postgres/recovery/restore` to achieve RCE without authentication. 1. Backup Exploitation: Attackers connect a vulnerable Splunk instance to a malicious PostgreSQL database, writing a crafted dump to arbitrary filesystem locations. 2. Restore Exploitation: By manipulating the `.pgpass` file (containing PostgreSQL credentials), attackers execute SQL commands under the `postgres_admin` account. 3. Arbitrary File Write: Using PostgreSQL’s `lo_export` function, attackers write malicious files to the system. 4. RCE via Script Overwrite: Attackers replace legitimate Splunk scripts (e.g., Python files in the Splunk Secure Gateway) with malicious payloads, executing code under the service’s privileges. ### Impact & Risks Splunk is a centralized security and operational intelligence platform, aggregating logs from: - Domain controllers, firewalls, cloud infrastructure, EDR systems, and identity providers - Critical business applications and network devices A compromised Splunk instance could allow attackers to: - Access sensitive operational data (security alerts, authentication logs, network architecture) - Tamper with or delete logs, hindering incident detection and forensic investigations - Move laterally within an organization, leveraging Splunk’s privileged access to other systems ### Response & Mitigation Splunk and Cisco have released emergency patches and urge organizations to: - Upgrade immediately to 10.0.7 or 10.2.4 - Restrict network access to Splunk administrative interfaces - Monitor for unusual PostgreSQL recovery activity and unauthorized file modifications - Conduct threat hunting for indicators of compromise While no active exploitation has been confirmed, the public release of technical details increases the risk of automated scanning and weaponization by threat actors, including ransomware groups and state-sponsored attackers. Enterprises are advised to treat this as a high-priority remediation issue.

Splunk Discloses High-Severity RCE Vulnerability in Enterprise and Cloud Platforms Splunk has revealed a high-severity vulnerability (CVE-2026-20204) affecting its Enterprise and Cloud Platform environments, enabling remote code execution (RCE) with a CVSS score of 7.1. The flaw, discovered by security researcher Gabriel Nitu, stems from improper handling of temporary files in the SPLUNK_HOME/var/run/splunk/apptemp directory, allowing low-privileged users without admin or power roles to upload malicious files and execute arbitrary code. The vulnerability poses a significant risk, as even a compromised standard account could lead to full server takeover. Affected versions include: Splunk Enterprise: - 10.2.0 - 10.0.0–10.0.4 - 9.4.0–9.4.9 - 9.3.0–9.3.10 Splunk Cloud Platform: - All builds below 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127 (Version 10.4.2603 remains unaffected.) Splunk has released patches for Enterprise users (10.2.1, 10.0.5, 9.4.10, 9.3.11) and is deploying fixes for Cloud Platform instances. As a temporary workaround, administrators can disable Splunk Web via the web.conf configuration file to eliminate the attack surface. The advisory was published on April 15, 2026.

High-Severity RCE Vulnerability in Splunk Enterprise and Cloud Platform Disclosed A critical Remote Command Execution (RCE) vulnerability, tracked as CVE-2026-20163 (CVSS 8.0), has been identified in Splunk Enterprise and Splunk Cloud Platform, exposing systems to arbitrary command execution risks. The flaw stems from improper input neutralization (CWE-77) in the platform’s REST API, specifically at the `/splunkd/__upload/indexing/preview` endpoint. During file upload previews, Splunk processes the `unarchive_cmd` parameter without adequate sanitization, allowing attackers to inject malicious shell commands. While exploitation requires a user account with the edit_cmd privilege limiting exposure to high-level administrators a compromised admin account could enable full server takeover. Affected Versions: - Splunk Enterprise 10.0: 10.0.0–10.0.3 - Splunk Enterprise 9.4: 9.4.0–9.4.8 - Splunk Enterprise 9.3: 9.3.0–9.3.9 - Splunk Cloud Platform: Versions below 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.24 Mitigation: Splunk has released patches to address the flaw. Administrators should upgrade to: - Splunk Enterprise 10.0: 10.0.4 - Splunk Enterprise 9.4: 9.4.9 - Splunk Enterprise 9.3: 9.3.10 Splunk Cloud Platform instances are being patched automatically by the vendor. The Splunk Enterprise 10.2 branch remains unaffected.

GitHub Repositories at Risk: Sysdig Uncovers Critical Workflow Vulnerabilities Sysdig researchers have identified a significant security risk in GitHub repositories, where improperly configured workflows could allow attackers to hijack projects by exploiting the `pull_request_target` event in GitHub Actions. Unlike the standard `pull_request` trigger—which runs in the context of a merge commit—`pull_request_target` executes in the base branch (typically the default branch) and has access to repository secrets and write permissions via the `GITHUB_TOKEN`. The vulnerability arises when maintainers use `pull_request_target` to test untrusted code from public contributors, inadvertently exposing sensitive credentials. If misconfigured, attackers could inject malicious code, exfiltrate secrets, and gain elevated privileges within the repository. Sysdig’s investigation revealed multiple affected projects, including: - Spotipy, an open-source Python library for the Spotify Web API, where researchers demonstrated the ability to execute malicious Python packages and steal the `GITHUB_TOKEN`. The flaw has since been patched. - Mitre’s cyber analytics repository, where attackers could exfiltrate the `GITHUB_TOKEN` and other secrets, potentially gaining full control. Mitre addressed the issue promptly. - Splunk’s security_content repository, where two secrets were exposed, though the extracted `GITHUB_TOKEN` had limited read-only access. Stefan Chierici, Sysdig’s threat research lead, warned that the impact depends on the privileges of the extracted token. In severe cases, attackers could modify workflows, exfiltrate additional secrets, or alter files in the main branch—effectively taking over the repository. While `pull_request_target` can be used safely, its nuances require careful handling to avoid exploitation. Sysdig has reported additional vulnerable repositories and is awaiting remediation before disclosing further details. The findings underscore the need for maintainers to audit their GitHub Actions workflows for potential misconfigurations.

Splunk has suffered a security incident due to two separate high-severity vulnerabilities. The first vulnerability enables RCE, allowing low-privileged users to execute arbitrary code through malicious file uploads, affecting Splunk Enterprise and Splunk Cloud Platform before certain versions. The second vulnerability affects the Splunk Secure Gateway app, where users can search with higher-privileged permissions, leading to potential unauthorized disclosure of sensitive information. Both issues have been patched, with suggested updates provided to Splunk users to remediate the risk. The security flaws highlight the critical importance of maintaining updated systems and monitoring access control within corporate environments to prevent data breaches and maintain operational integrity.