Listen to this Post
How the CVE Works
This vulnerability exploits a flaw in SaltStack’s minion event bus authorization mechanism. Attackers with a compromised minion key can craft malicious messages, bypassing access controls. By sending specially designed events, they can trigger unauthorized job execution on other minions. The issue affects Salt versions >= 3007.0 and >= 3006.0, where improper validation allows unauthorized command relay. The event bus fails to verify the sender’s permissions, enabling lateral movement within the Salt infrastructure.
DailyCVE Form
Platform: SaltStack
Version: >= 3007.0, < 3007.4
Vulnerability: Authorization bypass
Severity: High
Date: Jun 13, 2025
Prediction: Patch by Jun 20, 2025
What Undercode Say
Analytics:
salt '' test.ping Check minion responsiveness salt-run jobs.list_jobs Audit job executions
How Exploit:
import salt.client
client = salt.client.LocalClient()
client.cmd('', 'cmd.run', ['malicious_command']) PoC abuse
Protection from this CVE:
- Upgrade to 3007.4 or 3006.12
- Restrict minion key access
- Monitor event bus traffic
Impact:
- Unauthorized remote code execution
- Lateral movement via Salt master
- Compromise of managed minions
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
