CVE-2025-62349 Overview
Salt contains an authentication protocol version downgrade weakness that can allow a malicious minion to bypass newer authentication/security features by using an older request payload format, enabling minion impersonation and circumventing protections introduced in response to prior issues.
Critical Impact
A malicious Salt minion can bypass authentication mechanisms by downgrading to older protocol versions, potentially enabling impersonation attacks and circumventing security controls across managed infrastructure.
Affected Products
- Salt Project Salt versions prior to 3006.17
- Salt Project Salt versions prior to 3007.9
Discovery Timeline
- January 30, 2026 - CVE CVE-2025-62349 published to NVD
- February 4, 2026 - Last updated in NVD database
Technical Details for CVE-2025-62349
Vulnerability Analysis
This vulnerability (CWE-287: Improper Authentication) exists in Salt's authentication protocol handling where the system fails to enforce the use of current authentication protocol versions. When a Salt master receives authentication requests, it accepts older payload formats that lack security enhancements implemented in response to previous vulnerabilities. This design flaw creates a dangerous attack surface where malicious actors controlling a minion can intentionally craft authentication requests using deprecated protocol formats.
The weakness allows attackers to bypass security controls that were specifically added to address prior authentication weaknesses in the Salt infrastructure management platform. By exploiting this protocol version flexibility, an attacker can impersonate legitimate minions, potentially gaining unauthorized access to managed systems and the ability to execute arbitrary commands across the Salt-managed infrastructure.
Root Cause
The root cause stems from Salt's backward compatibility implementation in its authentication subsystem. The authentication handler accepts multiple protocol versions without properly enforcing the use of the most recent, secure version. This permissive approach to protocol version negotiation allows attackers to deliberately select older, less secure authentication mechanisms that bypass protections added in newer versions.
Attack Vector
The attack is network-based and requires an attacker to have privileged access (control of a Salt minion). The attacker crafts authentication requests using older protocol payload formats that the Salt master still accepts for backward compatibility. By avoiding the newer authentication protocol, the attacker circumvents security controls such as enhanced identity verification and cryptographic protections that were introduced to address previous authentication bypass vulnerabilities.
The attack enables minion impersonation, allowing a compromised or malicious minion to masquerade as other legitimate minions in the Salt infrastructure. This can lead to unauthorized command execution, data exfiltration, or lateral movement across managed systems.
Detection Methods for CVE-2025-62349
Indicators of Compromise
- Unusual authentication requests from minions using deprecated protocol versions or legacy payload formats
- Authentication attempts from minions with mismatched identities or unexpected key material
- Anomalous patterns in Salt master authentication logs indicating protocol version mismatches
- Minions appearing to authenticate from unexpected network locations or with suspicious timing patterns
Detection Strategies
- Monitor Salt master logs for authentication requests using older protocol formats
- Implement alerting on authentication anomalies such as minion ID conflicts or unexpected re-authentication events
- Deploy network monitoring to detect unusual Salt communication patterns between masters and minions
- Audit minion key acceptance events for signs of impersonation attempts
Monitoring Recommendations
- Enable verbose logging on Salt masters to capture detailed authentication protocol information
- Implement centralized log collection for Salt infrastructure components
- Configure alerts for failed authentication attempts and protocol downgrade indicators
- Regularly review minion key states and authentication patterns for anomalies
How to Mitigate CVE-2025-62349
Immediate Actions Required
- Upgrade Salt to version 3006.17 or 3007.9 or later immediately
- Audit existing minion connections and validate minion identities
- Review Salt master configurations for any custom authentication settings that may increase exposure
- Implement network segmentation to limit Salt communication to trusted network segments
Patch Information
Salt Project has released security patches addressing this vulnerability. Organizations should upgrade to the patched versions as documented in the official release notes:
- Salt Project Release Notes 3006.17 - Security fix for version 3006.x
- Salt Project Release Notes 3007.9 - Security fix for version 3007.x
Workarounds
- Restrict network access to Salt master ports (4505, 4506) using firewall rules to limit exposure to trusted networks only
- Implement strict minion key management policies and reject keys from unknown or suspicious sources
- Monitor and alert on new minion key acceptance events until patches can be applied
- Consider temporarily disabling automatic minion key acceptance if enabled
# Configuration example - Restrict Salt master network access
# Add to firewall rules to limit Salt master exposure
iptables -A INPUT -p tcp --dport 4505 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 4506 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 4505 -j DROP
iptables -A INPUT -p tcp --dport 4506 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
