Splunk Discloses High-Severity Vulnerability

- The vulnerability is officially tracked as CVE-2026-20140 and has been assigned a CVSSv3.1 score of 7.7, which is considered high severity. It exists because the software may load a malicious DLL file placed by a low-privileged user in a specific directory during service startup. - Gaining `NT AUTHORITY\SYSTEM` privileges allows an attacker to have full control over the compromised machine. This level of access can be used to disable security controls, deploy ransomware, or extract sensitive data. - This type of flaw is categorized as CWE-427 (Uncontrolled Search Path Element), a well-known class of vulnerabilities where an application's process for finding and loading required DLLs is insecure. - The vulnerability was discovered and reported by security researcher Marius Gabriel Mihai. As of early 2026, there have been no public reports of this specific vulnerability being actively exploited in the wild. - In addition to the specifically mentioned version 9.2.12, Splunk has released patches for several other affected versions, including 10.0.3, 9.4.8, and 9.3.9. Deployments on non-Windows operating systems are not affected. - While the attack requires an adversary to already have local access to the system, such privilege escalation vulnerabilities are commonly used by attackers after an initial compromise (e.g., through phishing or malware) to gain deeper control. - As a temporary mitigation for those unable to patch immediately, Splunk advises restricting user permissions to create directories or write files in locations that could affect Splunk's DLL resolution path. Monitoring for and alerting on unexpected restarts of Splunk services is also recommended.