CVE-2025-22241
📋 TL;DR
This vulnerability in SaltStack allows attackers to overwrite files in the pki directory by exploiting improper path validation when processing on-demand pillar data. It affects Salt masters with default configurations, potentially enabling unauthorized minion key acceptance. The issue stems from unvalidated input used to construct file paths.
💻 Affected Systems
- SaltStack Salt
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could overwrite critical authentication files, potentially gaining unauthorized access to the Salt master or manipulating minion authentication.
Likely Case
Local authenticated users could overwrite files in the pki directory, potentially disrupting authentication processes or causing denial of service.
If Mitigated
With proper file permissions and network segmentation, impact would be limited to local authenticated users with specific access.
🎯 Exploit Status
Requires authenticated access to the Salt master API and knowledge of the target system's configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3006.12 or 3007.4
Vendor Advisory: https://docs.saltproject.io/en/3006/topics/releases/3006.12.html
Restart Required: Yes
Instructions:
1. Update Salt master to version 3006.12 or 3007.4. 2. Restart the Salt master service. 3. Verify the update was successful.
🔧 Temporary Workarounds
Disable on-demand pillar functionality
allTemporarily disable the vulnerable on-demand pillar feature until patching can be completed.
Edit master configuration file and set 'on_demand_pillar' to false
Restrict pki directory permissions
linuxSet strict file permissions on the pki directory to prevent unauthorized writes.
chmod 700 /etc/salt/pki/master
chown salt:salt /etc/salt/pki/master
🧯 If You Can't Patch
- Implement strict access controls to Salt master API endpoints
- Monitor pki directory for unauthorized file modifications
🔍 How to Verify
Check if Vulnerable:
Check Salt master version with 'salt --version' and compare against affected versions (3006.0-3006.11, 3007.0-3007.3).Check Version:
salt --versionVerify Fix Applied:
Verify version is 3006.12 or higher, or 3007.4 or higher using 'salt --version' command.📡 Detection & Monitoring
Log Indicators:
- Unusual file write operations in pki directory
- Authentication failures or unexpected minion key acceptances
Network Indicators:
- Unusual API calls to on-demand pillar endpoints
- Multiple authentication requests from single source
SIEM Query:
source="salt-master.log" AND ("pki" OR "on-demand" OR "pillar") AND ("write" OR "overwrite" OR "modify")