Splunk has disclosed a high-severity vulnerability in Splunk Enterprise for Windows that allows a low-privileged local user to escalate their privileges to SYSTEM level through a DLL search-order hijacking attack.
Tracked as CVE-2026-20140 and published on February 18, 2026, under advisory SVD-2026-0205, the flaw carries a CVSSv3.1 score of 7.7 (High) and is classified under CWE-427 (Uncontrolled Search Path Element).
The vulnerability exists in Splunk Enterprise for Windows versions below 10.2.0, 10.0.3, 9.4.8, 9.3.9, and 9.2.12. An attacker who holds low-privileged access to a Windows system running Splunk Enterprise can exploit this flaw by creating a directory on the system drive where Splunk is installed and placing a malicious DLL inside it.
When the Splunk Enterprise service restarts, the application may inadvertently load that rogue DLL due to its insecure library search order. Since the service runs with SYSTEM-level privileges, the injected code inherits those elevated rights, effectively granting the attacker full control over the host machine.
The CVSS vector reveals several important characteristics of this attack. The local access requirement (AV:L) limits remote exploitation, but the high complexity (AC:H) and the need for user interaction (UI:R) still leave enterprise environments at meaningful risk, particularly in shared or multi-user Windows deployments.
The scope change (S:C) with High ratings across Confidentiality, Integrity, and Availability underscores the severe impact once a successful compromise occurs. It is also worth noting that this vulnerability has no impact on non-Windows Splunk deployments, where the severity is rated as Informational.
Affected and Fixed Versions
ProductAffected VersionsFixed VersionSplunk Enterprise 10.010.0.0 to 10.0.210.0.3Splunk Enterprise 9.49.4.0 to 9.4.79.4.8Splunk Enterprise 9.39.3.0 to 9.3.89.3.9Splunk Enterprise 9.29.2.0 to 9.2.119.2.12Splunk Enterprise 10.2Not Affected10.2.0
Splunk has addressed the flaw in versions 10.2.0, 10.0.3, 9.4.8, 9.3.9, and 9.2.12. Organizations running Splunk Enterprise on Windows are strongly urged to apply the appropriate patch immediately.
Where immediate patching is not feasible, administrators should restrict write permissions on directories within the system drive to prevent unauthorized DLL placement.
No active detections or exploits in the wild have been reported at this time. The vulnerability was responsibly disclosed by security researcher Marius Gabriel Mihai.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Splunk Enterprise for Windows Vulnerability Let Attackers Hijack DLLs and Gain SYSTEM Access appeared first on Cyber Security News.
