# ============================================================================
# CYBERDUDEBIVASH SENTINEL APEX — Detection Pack
# Traceability:
#   CVE ............ CVE-2026-20253
#   Vendor / Product Splunk / Enterprise
#   CISA KEV ....... added 2026-06-18, federal remediation due 2026-06-21
#   Ransomware ..... Unknown
#   NVD ............ https://nvd.nist.gov/vuln/detail/CVE-2026-20253
#   KEV catalog .... https://www.cisa.gov/known-exploited-vulnerabilities-catalog
# Every claim in this rule's metadata is verifiable against the sources above.
# ============================================================================
title: Splunk Enterprise Unauthenticated Access to Critical Endpoint (CVE-2026-20253)
id: d6c84ba7-e087-504c-809f-cfeb4b988836
status: experimental
description: |
    Detects access to Splunk management/REST endpoints from outside expected management ranges, consistent with exploitation of the missing-authentication-for-critical-function vulnerability.
references:
    - https://nvd.nist.gov/vuln/detail/CVE-2026-20253
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
    - https://blog.cyberdudebivash.in/detections/
author: CYBERDUDEBIVASH SENTINEL APEX
date: 2026/07/05
tags:
    - attack.initial_access
    - attack.t1190
    - attack.execution
    - attack.t1059
    - cve.2026.20253
logsource:
    category: webserver
detection:
    selection:
        cs-uri-stem|contains:
            - '/services/'
            - '/servicesNS/'
            - '/en-US/manager'
    filter_mgmt_source:
        c-ip|cidr:
            - '10.0.0.0/8'
            - '192.168.0.0/16'
    condition: selection and not filter_mgmt_source
    fields:
        - c-ip
        - cs-uri-stem
        - cs-method
falsepositives:
    - Search-head clustering / forwarder management traffic — add those hosts to the source filter.
level: high
