Login Sign Up

CVE-2020-25592

9.8 CRITICAL
Remote Code Execution Authentication Bypass

📋 TL;DR

CVE-2020-25592 is an authentication bypass vulnerability in SaltStack Salt's REST API (salt-netapi) that allows attackers to execute arbitrary commands via Salt SSH without valid credentials. This affects all SaltStack Salt installations with the REST API enabled through version 3002. Organizations using Salt for infrastructure management are at risk of complete system compromise.

💻 Affected Systems

Products:
  • SaltStack Salt
Versions: All versions through 3002
Operating Systems: All platforms running SaltStack
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations with salt-netapi (REST API) enabled. The vulnerability is in the eauth authentication mechanism.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

Salt by Saltstack

View all CVEs affecting Salt →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Salt-managed infrastructure, allowing attackers to execute arbitrary commands on all minions, steal sensitive data, deploy ransomware, or establish persistent backdoors.

🟠

Likely Case

Attackers gain unauthorized access to execute commands on Salt minions, potentially leading to data exfiltration, service disruption, or lateral movement within the network.

🟢

If Mitigated

Limited impact if proper network segmentation, authentication controls, and monitoring are in place, though the vulnerability still presents significant risk.

🌐 Internet-Facing: HIGH - Salt REST API exposed to internet allows unauthenticated remote attackers to execute arbitrary commands on all managed systems.
🏢 Internal Only: HIGH - Even internally, any compromised user or malicious insider can bypass authentication to execute commands across the entire Salt infrastructure.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code available on Packet Storm and other sources. Attack requires network access to the salt-netapi endpoint (default port 8000).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3002.1 and later versions

Vendor Advisory: https://docs.saltstack.com/en/latest/topics/releases/index.html

Restart Required: Yes

Instructions:

1. Upgrade Salt master to version 3002.1 or later. 2. Restart salt-master service. 3. Verify the fix by checking version and testing authentication.

🔧 Temporary Workarounds

Disable salt-netapi

linux

Temporarily disable the vulnerable REST API component until patching is possible

systemctl stop salt-api
systemctl disable salt-api

Network Access Control

linux

Restrict network access to salt-netapi port (default 8000) using firewall rules

iptables -A INPUT -p tcp --dport 8000 -j DROP
ufw deny 8000

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Salt master from untrusted networks
  • Enable detailed logging and monitoring for salt-api authentication attempts and command execution

🔍 How to Verify

Check if Vulnerable:

Check Salt version: if version <= 3002 and salt-api is running, system is vulnerable. Use: salt --version

Check Version:

salt --version

Verify Fix Applied:

Verify version is 3002.1 or later and test authentication with invalid credentials should fail

📡 Detection & Monitoring

Log Indicators:

  • Failed authentication attempts followed by successful command execution in /var/log/salt/master
  • Unusual SSH connections from Salt master to minions
  • Authentication bypass patterns in salt-api logs

Network Indicators:

  • Unusual traffic to salt-api port 8000 from unexpected sources
  • SSH connections from Salt master to multiple minions in rapid succession

SIEM Query:

source="salt-master" AND (event="auth" AND result="failure") AND (event="cmd.run" OR event="state.apply") within 5 minutes

📊 Metadata

CVE ID: CVE-2020-25592
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-287
Published: November 6, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-25592, you might also want to check these:

CVE-2024-27767 10.0

CVE-2024-27767 is an authentication bypass vulnerability that allows attackers to gain unauthorized ...

Same vulnerability type (CWE-287)
CVE-2026-24898 10.0

OpenEMR versions before 8.0.0 contain an unauthenticated token disclosure vulnerability in the MedEx...

Same vulnerability type (CWE-287)
CVE-2026-20127 10.0

This critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager al...

Same vulnerability type (CWE-287)