CVE-2025-62349
📋 TL;DR
This CVE describes an authentication protocol downgrade vulnerability in Salt that allows malicious minions to bypass newer security features by using older request payload formats. This enables minion impersonation and circumvents protections introduced to address previous security issues. All Salt deployments using affected versions are vulnerable.
💻 Affected Systems
- SaltStack Salt
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Salt infrastructure allowing attackers to impersonate any minion, execute arbitrary commands on all managed systems, and potentially pivot to other network segments.
Likely Case
Unauthorized minion impersonation leading to unauthorized command execution on managed systems, data exfiltration, or configuration changes.
If Mitigated
Limited impact due to network segmentation, strict access controls, and monitoring that detects anomalous authentication patterns.
🎯 Exploit Status
Exploitation requires minion access but the downgrade attack is straightforward once minion control is obtained. The CWE-287 (Improper Authentication) classification indicates authentication bypass.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3006.17 and 3007.9
Vendor Advisory: https://docs.saltproject.io/en/latest/topics/releases/3006.17.html
Restart Required: Yes
Instructions:
1. Identify your Salt version. 2. Upgrade to 3006.17 if on 3006.x series. 3. Upgrade to 3007.9 if on 3007.x series. 4. Restart Salt master and minion services. 5. Verify the upgrade was successful.
🔧 Temporary Workarounds
Network Segmentation
allIsolate Salt master-minion communication to trusted networks only
Minion Certificate Validation
linuxEnforce strict certificate validation and monitoring for authentication anomalies
salt-key -L
salt-key -f minion-id
🧯 If You Can't Patch
- Implement strict network access controls to limit which systems can communicate with Salt masters
- Enable detailed authentication logging and monitor for protocol downgrade attempts or unusual minion behavior
🔍 How to Verify
Check if Vulnerable:
Check Salt version with 'salt --version' or 'salt-master --version'. If version is below 3006.17 (for 3006.x) or below 3007.9 (for 3007.x), the system is vulnerable.Check Version:
salt --versionVerify Fix Applied:
After patching, verify version is 3006.17 or higher (3006.x) or 3007.9 or higher (3007.x). Test minion authentication and ensure older protocol versions are rejected.📡 Detection & Monitoring
Log Indicators:
- Authentication protocol downgrade attempts
- Unusual minion authentication patterns
- Failed authentication with older protocol versions
Network Indicators:
- Unexpected authentication traffic from minions
- Protocol version mismatches in handshake
SIEM Query:
source="salt-master" AND ("auth" OR "authentication") AND ("downgrade" OR "old protocol" OR "version mismatch")