Splunk Enterprise Windows DLL Hijacking Grants SYSTEM Access
3 min. read 
Published on
Splunk Enterprise for Windows contains a critical DLL search-order hijacking vulnerability tracked as CVE-2026-20140. Low-privileged attackers gain SYSTEM privileges when the Splunk service loads malicious DLLs from attacker-controlled directories. The flaw affects versions below 10.2.0, 10.0.3, 9.4.8, 9.3.9, and 9.2.12.
Attackers with write access to the system drive create directories where Splunk searches for libraries. Malicious DLLs execute with SYSTEM rights during service restart. CVSS v3.1 score of 7.7 classifies the issue as High severity under CWE-427.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Splunk published advisory SVD-2026-0205 on February 18, 2026. Researcher Marius Gabriel Mihai responsibly disclosed the local privilege escalation. No public exploits exist yet. Windows-only impact excludes Linux deployments.
Service restart triggers DLL loading from current directory before safe paths. Attackers place hijacked libraries in predictable locations. SYSTEM context enables full host compromise including LSASS dumping and persistence.
Affected Versions Table
| Product | Vulnerable Range | Fixed Version |
|---|---|---|
| Splunk Enterprise 10.0 | 10.0.0 – 10.0.2 | 10.0.3 tenable​ |
| Splunk Enterprise 9.4 | 9.4.0 – 9.4.7 | 9.4.8 |
| Splunk Enterprise 9.3 | 9.3.0 – 9.3.8 | 9.3.9 |
| Splunk Enterprise 9.2 | 9.2.0 – 9.2.11 | 9.2.12 |
| Splunk Enterprise 10.2 | Not affected | 10.2.0 |
Immediate patching prevents exploitation. Splunk service runs highest Windows privileges.
Attack Requirements Breakdown
Attackers need minimal foothold first. Common vectors include:
- RDP access to SIEM server
- Compromised service accounts
- Shared Windows environments
- Lateral movement from domain users
Exploitation sequence:
- Gain low-priv write access to system drive
- Create directory in Splunk library search path
- Drop malicious DLL with SYSTEM payload
- Trigger Splunk service restart
- Gain full SYSTEM privileges
High attack complexity requires Windows internals knowledge. User interaction needed for service restart.
CVSS Vector Analysis
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H breaks down as:
- Local vector limits remote attacks
- High complexity requires DLL knowledge
- User restart interaction required
- Scope change impacts multiple components
- High ratings across CIA triad
Non-Windows deployments rated Informational only.
Immediate Mitigation Steps
Patch priority:
Upgrade to fixed versions immediately
Schedule during maintenance windows
Test in staging environments first
Verify installation integrity post-update
Interim hardening:
- Remove write access from system drive directories
- Monitor Splunk service restarts
- Restrict service account permissions
- Deploy AppLocker blocking untrusted DLLs
No in-the-wild exploitation reported as of February 20, 2026.
Enterprise Risk Assessment
High-value targets:
SIEM servers collect all organizational logs
Domain controllers often host Splunk forwarders
Security team workstations run analytics
Shared analysis environments most exposed
Post-exploitation impact:
- LSASS credential dumping
- Kerberos ticket harvesting
- Domain persistence establishment
- Lateral movement to tier-zero assets
Single low-priv foothold escalates to domain dominance.
Detection Indicators
Pre-exploitation:
Unusual directory creation on system drive
DLL files appearing near Splunk binaries
Low-priv service account modification attempts
Service anomalies:
Unexpected Splunk service restarts
New DLLs loaded by splunkd.exe
File creation events in search paths
Post-exploitation:
SYSTEM processes spawning from splunkd.exe
Privilege escalation log events
Unusual network from SIEM server
Windows Hardening Checklist
Directory protections:
Block write access to C:\Program Files\Splunk
Restrict %SystemDrive%\ path modifications
Implement filesystem monitoring
Service isolation:
Run Splunk under dedicated accounts
Enable Protected Process Light
Deploy Windows Defender Exploit Guard
Behavioral analytics:
Monitor DLL loading patterns
Alert on splunkd.exe child processes
Track service restart frequency
Patch Deployment Priority
| Environment | Priority | Action |
|---|---|---|
| Production SIEM | Critical | Patch within 24 hours |
| Domain controllers | Critical | Patch within 48 hours |
| Analyst workstations | High | Patch within 7 days |
| Test/development | Medium | Patch within 30 days |
Vendor Disclosure Timeline
Key dates:
- Discovery: Marius Gabriel Mihai
- Published: February 18, 2026
- Advisory: SVD-2026-0205
- Patches: All major branches updated
- Exploitation: None reported​
Responsible disclosure enabled coordinated patching.
FAQ
Enterprise for Windows below 10.2.0, 10.0.3, 9.4.8, 9.3.9, 9.2.12. Splunk SVD-2026-0205
Low-priv user drops malicious DLL in Splunk search path. Service loads it with SYSTEM rights on restart.
7.7 High. Grants full SYSTEM access enabling LSASS dumping and persistence.
No. Windows-only due to DLL search order differences.
Restrict system drive write access. Monitor Splunk service restarts.
Marius Gabriel Mihai responsibly disclosed to Splunk.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages