CVE-2025-22236
📋 TL;DR
This CVE describes an authorization bypass vulnerability in Salt's minion event bus. An attacker with a compromised minion key can craft messages to execute jobs on other minions, potentially leading to unauthorized command execution across the Salt infrastructure. It affects Salt installations with minions running versions 3007.0 and above.
💻 Affected Systems
- Salt
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains full control over all minions in the Salt environment, enabling lateral movement, data theft, ransomware deployment, or complete system compromise.
Likely Case
An attacker with access to a minion key can execute arbitrary commands on other minions, leading to privilege escalation, data exfiltration, or disruption of managed systems.
If Mitigated
With network segmentation and strict key management, impact is limited to isolated segments, but unauthorized job execution on accessible minions may still occur.
🎯 Exploit Status
Exploitation requires possession of a minion key and knowledge of Salt's event bus, but no public exploit code is known at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3007.4
Vendor Advisory: https://docs.saltproject.io/en/3007/topics/releases/3007.4.html
Restart Required: Yes
Instructions:
1. Update Salt minions to version 3007.4 or later. 2. Restart the minion services to apply the patch. 3. Verify the update using the version check command.
🔧 Temporary Workarounds
Restrict Minion Key Access
linuxLimit access to minion keys by enforcing strict file permissions and using secure storage to prevent unauthorized acquisition.
chmod 600 /etc/salt/pki/minion/minion.pem
chown salt:salt /etc/salt/pki/minion/minion.pem
Network Segmentation
allIsolate minions in separate network segments to reduce the attack surface and limit lateral movement if a key is compromised.
🧯 If You Can't Patch
- Monitor for unusual job executions or event bus activity and investigate anomalies promptly.
- Rotate minion keys regularly and revoke any suspected compromised keys immediately.
🔍 How to Verify
Check if Vulnerable:
Check the Salt minion version; if it is 3007.0 or higher and below 3007.4, it is vulnerable.Check Version:
salt-minion --versionVerify Fix Applied:
Confirm the minion version is 3007.4 or later and test that unauthorized job execution via crafted event bus messages is blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual job executions from unexpected minions
- Failed authorization attempts on the event bus
- Log entries indicating crafted or malformed event messages
Network Indicators:
- Abnormal traffic patterns between minions on event bus ports
- Unexpected command-and-control communications from minions
SIEM Query:
source="salt-minion" AND (event="job_execution" AND user!=expected_user) OR message="authorization failure"