CVE-2025-62349

Summary

Salt contains an authentication protocol version downgrade weakness that can allow a malicious minion to bypass newer authentication/security features by using an older request payload format, enabling minion impersonation and circumventing protections introduced in response to prior issues.

Affected Software

VendorProductVersion RangeStatus
Salt ProjectSalt3006.12 < 3006.17affected
Salt ProjectSalt3007.4 < 3007.9affected

Weaknesses

  • CWE-287: CWE-287 Improper Authentication

Workarounds

If you must keep older minions temporarily, control exposure by upgrading the master first and using minimum_auth_version according to Salt guidance: fixed releases default to enforcing protocol v3+. If older minions cannot authenticate, temporarily set minimum_auth_version: 0 during a controlled upgrade window, then upgrade minions and restore the stricter minimum.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References