Splunk Enterprise Patches RCE Flaw Exploitable by Low-Privileged Users via File Upload

Splunk has released an update addressing a remote code execution vulnerability that allows low-privileged authenticated users to upload files to a temporary directory and achieve code execution on the Splunk Enterprise server.

The attack surface is particularly concerning in enterprises that grant broad Splunk access to SOC analysts and other operational teams — an insider threat or compromised low-privilege account is sufficient to escalate to full server control. Splunk is frequently deployed with elevated OS-level permissions, making this a high-value lateral movement path.

Organizations should apply the Splunk Enterprise patch immediately and review which user accounts have upload privileges in the Splunk environment.