Rapid responses

Splunk provides ingestion and indexing of machine-generated data, and is commonly used for logging, tracing, SIEM, and other business processes. The PostgreSQL Sidecar Service is a Splunk provided storage integration that provides a PostgreSQL database and API provider for Splunk Enterprise deployments.

Certain versions of Splunk Enterprise and Splunk Cloud Platform that utilize the PostgreSQL Sidecar Service are vulnerable to an unauthenticated file upload vulnerability chain that can result in remote code execution. An attacker can utilize a logic bug in the PostgreSQL Sidecar Service to trigger internal operations on behalf of the SQL server, including backup and restore functionality. It was found that the backup logic additionally allowed for path traversal, enabling the attacker to control database connections, which when using the APIs logic for restoring could use an attackers hosted SQL database to trigger remote code execution. This will allow an attacker to gain unauthenticated access to the underlying operating system.

There is evidence that this vulnerability is being actively exploited in the wild and the vulnerability has been added to the CISA KEV list June 18th, 2026.

The following versions are affected only if the PostgreSQL Sidecar Service is enabled:

• Splunk Enterprise:
  • 10.0.0 through 10.0.6
  • 10.2.0 through 10.2.3

Note: The PostgreSQL Sidecar Service must be enabled for exploitation by an attacker, this should be verified directly on deployed instances.

Additionally, Amazon Web Services (AWS) deployed instances are likely vulnerable by default and self-hosted instances must explicitly install and enable the PostgreSQL Sidecar Service.

PeopleSoft is an enterprise resource planning (ERP) platform used for managing large organizations’ business functions.

Certain versions of the PeopleSoft Enterprise PeopleTools solution utilize the Environment Management Hub (EMHub) service that contains a server-side request forgery (SSRF) vulnerability. Remote unauthenticated attackers can utilize this vulnerability to chain outbound requests to achieve remote code execution and gain access to the underlying operating system.

There is evidence that this vulnerability is being actively exploited in the wild.

The following versions are affected:

• 8.61
• 8.62

Ivanti Sentry, formerly MobileIron Sentry, is an inline security gateway appliance that controls, encrypts, and isolates data traffic between remote mobile devices and a company’s internal corporate servers based on device compliance rules set by a central management platform.

Certain versions of Sentry are susceptible to two vulnerabilities. Successful exploitation could allow a remote, unauthenticated attacker to bypass authentication, create administrative accounts, and execute arbitrary commands with root privileges, leading to complete system compromise.

• CVE-2026-10520: An OS command injection vulnerability allows a remote, unauthenticated attacker to achieve root-level remote code execution (RCE).

• CVE-2026-10523: An authentication bypass vulnerability allows a remote, unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access.

There is evidence that CVE-2026-10520 is being actively exploited in the wild.

The following versions are affected:

• Ivanti Sentry: Versions 10.5.1, 10.6.1, 10.7.0, and prior.

Note: Older, unsupported product versions have not been tested but are likely also affected.

Veeam Backup & Replication is data protection software that supports image-level backup, recovery, and replication for virtual, physical, and cloud machines.

Certain versions of Veeam Backup & Replication contain a vulnerability that allows an authenticated domain user to achieve remote code execution (RCE) on the Backup Server. Additional technical details have not been released at this time.

The following versions are affected:

• Veeam Backup & Replication 12.x: Versions prior to 12.3.2.4854.

Note: Older, unsupported product versions have not been tested, but are likely also affected.

Check Point Remote Access and Mobile Access VPN provide users access to corporate networks over IPSec.

Certain versions of the Check Point VPN solutions utilize the deprecated IKE protocol version 1 (IKEv1) that contains a logic flow vulnerability. Remote unauthenticated attackers can utilize this vulnerability to bypass the authentication validation without credentials in order to gain access to secure networks.

There is evidence that this vulnerability is being actively exploited in the wild.

The following versions are affected:

• Security Gateways

  • R82.10 Jumbo Hotfix Take 19 or below
  • R82 Jumbo Hotfix Take 103 or below
  • R81.20 Jumbo Hotfix Take 141 or below
  • R81.10 (End-of-Support (EOS))
  • R81 (End-of-Support (EOS))
  • R80.40 (End-of-Support (EOS))

• Spark Firewalls

  • R82.00.X
  • R81.10.X
  • R80.20.X (End-of-Support (EOS))

Note: Exploitation requires that VPN Remote Access or Mobile Access with IKEv1 must be enabled. Gateways must additionally enable legacy Remote Access clients and not require machine certificate authentication.