```html ``` We Said Get Splunk Off the Internet. Shodan Says 11,422 of You Didn't — and 6,900 Are in the United States.
top of page

We Said Get Splunk Off the Internet. Shodan Says 11,422 of You Didn't — and 6,900 Are in the United States.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 1 minute ago
  • 3 min read

Yesterday we wrote up CVE-2026-20253, a CVSS 9.8 flaw in Splunk Enterprise tracked in Splunk's own advisory SVD-2026-0603. The root cause is the plainest kind there is: a PostgreSQL sidecar service endpoint that ships with no authentication at all, classified CWE-306, missing authentication for a critical function. Any network-reachable stranger can invoke it to create or truncate arbitrary files on the box, and public research has shown the primitive chaining into pre-authenticated remote code execution under realistic conditions. Truncation is the quiet half: the files a smart attacker zeroes first are the logs that would have recorded them. Splunk's PSIRT has confirmed limited exploitation in the wild, and CISA added it to the Known Exploited Vulnerabilities catalog. So we did the obvious thing and asked Shodan how many Splunk servers are actually sitting on the public internet where an anonymous attacker could reach them. The answer is 11,422.



Which versions are actually vulnerable, and the twist


The flaw lives in the PostgreSQL sidecar, which is a newer piece of the Splunk architecture, so the version math has an irony to it. The vulnerable builds are Splunk Enterprise 10.2.0 through 10.2.3 and 10.0.0 through 10.0.6. The fixes are 10.4.0, 10.2.4, and 10.0.7 or higher. Splunk Enterprise 9.4 and earlier are not affected at all. The organizations that dragged their feet on the 10.x upgrade and are still running old 9.x are, for once, the ones sitting safe, while the teams that stayed current are the exposed ones. It is a rare week where patch-laggards win a round, and it will not last, because the fix is a point release away and staying on 9.x has its own long list of reasons not to.


If you run Splunk, the check is thirty seconds: your version is on the server settings page and in the splunkd startup banner. If it reads 10.2.0 through 10.2.3 or 10.0.0 through 10.0.6, you are in scope. Move to 10.2.4, 10.0.7, or 10.4.0.



Where they are


The map is not subtle, and the United States is not winning a prize it wants.


  • United States: 6,902

  • Germany: 1,153

  • Australia: 669

  • Japan: 564

  • United Kingdom: 558

  • Ireland: 529

Nearly all of them, 11,417, are serving the Splunk web interface over HTTPS, and roughly 1,700 also have the splunkd management port exposed. That management port is the surface this month's bug lives on.



Why this number is the whole point


Splunk is a security tool. It is the thing an organization stands up specifically to watch for attacks, ingest the logs, and be the place you find out you were breached. Almost seven thousand American organizations took that tool and pointed it at the open internet, and now the tool has a bug that lets anyone reachable over the network truncate its files. A SIEM on the public internet was already a bad idea on a quiet Tuesday. With an unauthenticated write-and-erase primitive live and the weekend on, it is the security equivalent of leaving the keys in the ignition of the getaway car.



The honest caveat


We are going to be precise, because the number is easy to abuse. Eleven thousand is the count of internet-facing Splunk instances, not a count of confirmed-vulnerable ones. Some are already patched. Some run versions the flaw does not touch. A handful are honeypots run by people like us, and some banners are stale. So read 11,422 as the exposure surface, the population of Splunk boxes an attacker can even knock on, rather than a body count. The point stands regardless of what fraction is patched: a security-monitoring platform does not belong on the public internet, and eleven thousand of them are there anyway.


We cap our certainty at 95 percent, and here the missing five points are the patch state we cannot see from a banner. What Shodan can see is bad enough. If one of those 6,902 US dots is yours, the fix is not only this month's Splunk update. It is getting the box off the internet, behind a VPN or an allowlist, so the next unauthenticated bug, and there is always a next one, has nothing to reach.




Every indicator in this post is in the feed. Free.

1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.


bottom of page