Splunk disclosed a high-severity local privilege escalation (LPE) vulnerability affecting Splunk Enterprise for Windows. An attacker with low-privileged local access may be able to escalate to NT AUTHORITY\SYSTEM by abusing DLL search-order hijacking during Splunk service startup. The issue is tracked as CVE-2026-20140 under Splunk advisory SVD-2026-0205 and is rated CVSS 7.7 (High).
The issue is most relevant when an adversary already has a foothold on a Windows host (or in shared/admin jump environments) and wants to quickly elevate privileges to disable security controls, dump credentials, or deploy ransomware tooling.
What’s vulnerable
Splunk reports the issue affects Splunk Enterprise for Windows versions below the following fixed releases.
- 10.0.0 – 10.0.2 → fixed in 10.0.3
- 9.4.0 – 9.4.7 → fixed in 9.4.8
- 9.3.0 – 9.3.8 → fixed in 9.3.9
- 9.2.0 – 9.2.11 → fixed in 9.2.12
- 10.2.x → not affected (10.2.0 and later)
Platform note: Splunk states non-Windows deployments are not impacted (severity would be informational).
Technical Details (How Exploitation Works)
Splunk’s advisory describes a scenario where a low-privileged Windows user who can create a directory on the system drive where Splunk Enterprise is installed and write a malicious DLL into that directory may cause Splunk Enterprise for Windows to load the attacker-controlled DLL during service startup. Because the Splunk service runs with elevated rights, the malicious DLL can execute with SYSTEM-level privileges after a restart.
This aligns with CWE-427 (Uncontrolled Search Path Element,) a class of issues where software loads libraries using an insecure search order (e.g., loading from a writable location before the intended trusted path).
Why defenders should care even though it’s “local”:
- Many real intrusions start with low-priv access (phishing, stolen creds, commodity malware, lateral movement into a workstation) and then pivot to LPE to obtain full control.
- Once SYSTEM is achieved, common follow-on actions include disabling EDR, extracting secrets/credentials, and deploying payloads with maximum reliability.
Detection and hunting guidance
Because this is an LPE that triggers on service startup, hunting is most effective by correlating:
- Unexpected Splunk service restarts, and
- DLL loads / file writes in or near Splunk installation paths (or suspicious new directories on the install drive that align with the hijack condition).
Mitigation and response
Splunk’s official remediation is to upgrade Splunk Enterprise for Windows to a fixed version: 10.2.0 / 10.0.3 / 9.4.8 / 9.3.9 / 9.2.12 or higher.
If you cannot patch immediately, reduce the exploitability of search-path hijacking patterns by focusing on write permissions and service restart controls, including:
- Limiting which users can create directories / write files in locations that could influence Splunk’s DLL resolution on the install drive.
- Reduce who can restart Splunk services (service control permissions), and alert on unexpected restarts.
- Monitor and block suspicious DLL drops in Splunk-adjacent paths where feasible.
Stay Safe. Stay Secure
OP Innovate Research Team
