Splunk's advisory calls this week's critical Enterprise flaw a "deserialization of untrusted data" issue requiring urgent patching. The flaw permits pre-authentication remote code execution on the platform most APAC financial-sector security operations centres use to detect pre-authentication remote code execution. There is no authentication event. The log is clean.
The concurrent BleepingComputer report describes a Chinese state-linked group that spent approximately a decade resident inside a target network's authentication stack: operating from the credential-validation layer, the group produced authentication records that monitoring tools read as legitimate sessions, because the monitoring tools were evaluating events generated by the compromised component. HKMA's Cybersecurity Fortification Initiative 2.0 lists SIEM integrity monitoring as a Tier-2 maturity control for licensed banks in Hong Kong. CFI 2.0 is silent on this. For Splunk Enterprise deployments in production, Splunk's June 2026 advisory specifies the remediation path: patch, isolate the management interface, and review service-account permissions against a clean baseline before 19 June.