CVE-2025-22239
📋 TL;DR
This vulnerability allows authorized Salt minions to inject arbitrary events onto the Salt Master's event bus. This can disrupt master operations, trigger unintended actions, or potentially lead to privilege escalation. All Salt deployments with vulnerable versions are affected.
💻 Affected Systems
- SaltStack Salt
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through event bus manipulation leading to arbitrary command execution on the master, service disruption, or data exfiltration.
Likely Case
Service disruption through event flooding, triggering unintended automation workflows, or bypassing security controls via crafted events.
If Mitigated
Limited impact due to proper network segmentation, strict minion authorization, and monitoring that detects anomalous event patterns.
🎯 Exploit Status
Exploitation requires minion authentication but is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Salt 3006.12 or 3007.4
Vendor Advisory: https://docs.saltproject.io/en/3006/topics/releases/3006.12.html
Restart Required: Yes
Instructions:
1. Backup configuration and data. 2. Update Salt Master to version 3006.12 or 3007.4 using package manager. 3. Restart Salt Master service. 4. Verify update with 'salt --version'.
🔧 Temporary Workarounds
Restrict Minion Access
linuxLimit which minions can communicate with the master using firewall rules and Salt's access controls.
iptables -A INPUT -p tcp --dport 4505:4506 -s trusted_minion_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 4505:4506 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Salt Master from untrusted networks.
- Enhance monitoring of Salt event bus for anomalous activity and implement alerting.
🔍 How to Verify
Check if Vulnerable:
Check Salt version with 'salt --version' and compare to affected ranges (3006.x < 3006.12, 3007.x < 3007.4).Check Version:
salt --versionVerify Fix Applied:
Confirm version is 3006.12 or higher, or 3007.4 or higher, and test that minions cannot inject unexpected events.📡 Detection & Monitoring
Log Indicators:
- Unusual event patterns in Salt Master logs
- Events from minions that don't match expected behavior
Network Indicators:
- Abnormal traffic to Salt Master ports 4505-4506 from unauthorized sources
SIEM Query:
source="salt-master.log" event="_minion_event" | stats count by minion_id