Splunk Windows Flaws Expose Servers to System Takeover

Splunk administrators operating in Windows environments face a double threat this week. A new security advisory reveals two high-severity vulnerabilities in Splunk Enterprise for Windows that could allow low-privileged users to hijack the system and elevate their access to full system-level privileges.

Both flaws, tracked as CVE-2026-20143 and CVE-2026-20140, carry a CVSS score of 7.7 and exploit how the software searches for external dependencies upon startup.

The first vulnerability exploits the Python Module Search Path. In affected Windows environments, the software fails to properly secure the directories it searches when loading Python scripts.

According to the advisory, “a low-privileged Windows user that can create a directory on the system drive where Splunk Enterprise is installed can write a malicious Python script into that directory”.

The danger materializes the next time the software restarts. Because Splunk Enterprise typically runs with highly elevated permissions, the maliciously planted script “might run with system level privileges when the Splunk Enterprise instance restarts,” leading to a complete Local Privilege Escalation (LPE) as well as a potential Denial of Service (DoS).

The second vulnerability, CVE-2026-20140, utilizes a classic but devastating technique: DLL Search-Order Hijacking.

Similar to the Python flaw, the exploit requires a low-privileged user to create a directory on the system drive where Splunk is installed. However, in this scenario, the attacker writes a malicious Dynamic Link Library (DLL) file into that directory instead of a Python script.

The advisory explains that this “might cause Splunk Enterprise for Windows to load that DLL during Splunk Enterprise service startup”. Because Windows searches for DLLs in a specific order, planting a maliciously crafted DLL in the right path tricks the application into loading it before the legitimate system DLL.

“This condition can result in a Local Privilege Escalation (LPE) through a DLL search-order hijacking, as the injected DLL might run with system level privileges,” the report warns.

The vulnerabilities affect multiple release tracks of Splunk Enterprise for Windows. Specifically, the flaws are present in versions below 10.2.0, 10.0.3, 9.4.8, and 9.3.9 (with the DLL flaw also explicitly impacting versions below 9.2.12).

To mitigate the threat of local privilege escalation, organizations are strongly urged to apply the provided solution immediately. The official guidance instructs administrators to “Upgrade Splunk Enterprise to versions 10.2.0, 10.0.3, 9.4.8, 9.3.9 or higher” to close the search-path loopholes and secure their infrastructure.

Related Posts:

• Splunk Patches Critical Vulnerabilities, Including Remote Code Execution Flaws
• Splunk Fixes Six Flaws, Including Unauthenticated SSRF and XSS Vulnerabilities in Enterprise Platform
• Splunk Issues Patches for Two Security Flaws: Windows Permission Misconfiguration and Reflected XSS