CVE-2025-62348
📋 TL;DR
This vulnerability in Salt's junos execution module allows remote code execution through unsafe YAML deserialization. Attackers can craft malicious YAML payloads that execute arbitrary code with Salt process privileges. Organizations using Salt with Junos network devices are affected.
💻 Affected Systems
- SaltStack Salt
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of Salt master server leading to lateral movement across managed infrastructure, credential theft, and persistent backdoor installation.
Likely Case
Unauthorized code execution on Salt master allowing attackers to execute commands on managed minions, potentially compromising network devices and servers.
If Mitigated
Limited impact through network segmentation and proper access controls, with only authenticated users able to trigger the vulnerability.
🎯 Exploit Status
Exploitation requires access to Salt's execution modules. Attackers need to be able to submit YAML payloads to the junos module.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3006.17
Vendor Advisory: https://docs.saltproject.io/en/latest/topics/releases/3006.17.html
Restart Required: Yes
Instructions:
1. Backup Salt configuration. 2. Update Salt to version 3006.17 or later using package manager. 3. Restart Salt master service. 4. Verify all minions reconnect successfully.
🔧 Temporary Workarounds
Disable junos module
allTemporarily disable the vulnerable junos execution module if not required
salt '*' sys.disable_junos
Restrict module access
allLimit which users can execute junos module commands using Salt's ACL system
Edit /etc/salt/master file to add ACL restrictions for junos.*
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Salt master from untrusted networks
- Enable detailed logging and monitoring for junos module usage and review regularly
🔍 How to Verify
Check if Vulnerable:
Check Salt version: salt --version. If below 3006.17 and junos module is enabled, system is vulnerable.Check Version:
salt --versionVerify Fix Applied:
Verify version is 3006.17 or higher and test junos module functionality with safe commands.📡 Detection & Monitoring
Log Indicators:
- Unusual junos module executions
- YAML parsing errors in Salt logs
- Unexpected process spawns from Salt
Network Indicators:
- Unusual traffic from Salt master to minions
- Suspicious YAML payloads in Salt communications
SIEM Query:
source="salt-master" AND (event="junos.*" OR message="YAML")