“`html
Splunk has revealed a critical vulnerability in Splunk Enterprise for Windows enabling a low-privileged local user to elevate their permissions to SYSTEM level via a DLL search-path hijacking assault.
Identified as CVE-2026-20140 and announced on February 18, 2026, under advisory SVD-2026-0205, the vulnerability possesses a CVSSv3.1 score of 7.7 (High) and falls under CWE-427 (Uncontrolled Search Path Element).
This vulnerability is present in Splunk Enterprise for Windows versions older than 10.2.0, 10.0.3, 9.4.8, 9.3.9, and 9.2.12. An adversary with low-privileged access to a Windows system operating Splunk Enterprise may exploit this flaw by establishing a directory on the system drive where Splunk is installed and inserting a malicious DLL within it.
Upon the restart of the Splunk Enterprise service, the application might unintentionally load the rogue DLL due to its insecure library search order. Given that the service operates with SYSTEM-level privileges, the injected code inherits those enhanced rights, effectively granting the intruder complete control over the host machine.
The CVSS vector underscores several critical attributes of this attack. The necessity for local access (AV:L) curtails remote threats, yet the elevated complexity (AC:H) and the requirement for user interaction (UI:R) continue to pose significant risks to enterprise environments, particularly in shared or multi-user Windows setups.
The change in scope (S:C) with high ratings across Confidentiality, Integrity, and Availability highlights the grave consequences once a successful breach occurs. It is also important to mention that this vulnerability does not affect non-Windows Splunk installations, where its severity is categorized as Informational.
Impacted and Corrected Versions
| Product | Impacted Versions | Corrected Version |
|---|---|---|
| Splunk Enterprise 10.0 | 10.0.0 to 10.0.2 | 10.0.3 |
| Splunk Enterprise 9.4 | 9.4.0 to 9.4.7 | 9.4.8 |
| Splunk Enterprise 9.3 | 9.3.0 to 9.3.8 | 9.3.9 |
| Splunk Enterprise 9.2 | 9.2.0 to 9.2.11 | 9.2.12 |
| Splunk Enterprise 10.2 | Not Affected | 10.2.0 |
Splunk has rectified the vulnerability in versions 10.2.0, 10.0.3, 9.4.8, 9.3.9, and 9.2.12. Organizations operating Splunk Enterprise on Windows are strongly encouraged to implement the relevant patch immediately.
In circumstances where immediate patching is impractical, administrators should limit write permissions on directories within the system drive to obstruct unauthorized DLL placement.
No ongoing detections or exploits in the field have been reported at this moment. The vulnerability was responsibly unveiled by security researcher Marius Gabriel Mihai.
“`