cbcvebase.
CVE-2021-25281
published 2021-02-27

CVE-2021-25281: An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
72.95%
99.4th percentile
An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master.

Affected

46 ranges· showing 25
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debiandebian_linux
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
saltstacksalt< 2015.8.102015.8.10
saltstacksalt>= 0 < 2015.8.102015.8.10
saltstacksalt>= 0 < 2015.8.132015.8.13
saltstacksalt>= 0 < 2015.8.8+ds-1ubuntu0.1+esm22015.8.8+ds-1ubuntu0.1+esm2
saltstacksalt>= 0 < 2017.7.4+dfsg1-1ubuntu18.04.2+esm12017.7.4+dfsg1-1ubuntu18.04.2+esm1
saltstacksalt>= 2015.8.11 < 2015.8.132015.8.13
saltstacksalt>= 2015.8.11 < 2015.8.132015.8.13
saltstacksalt>= 2016.11.0 < 2016.11.32016.11.3
saltstacksalt>= 2016.11.4 < 2016.11.52016.11.5
saltstacksalt>= 2016.11.4 < 2016.11.52016.11.5
saltstacksalt>= 2016.11.7 < 2016.11.102016.11.10
saltstacksalt>= 2016.11.7 < 2016.11.102016.11.10
saltstacksalt>= 2016.3.0 < 2016.3.42016.3.4
saltstacksalt>= 2016.3.0 < 2016.3.42016.3.4
saltstacksalt>= 2016.3.0 < 2016.11.52016.11.5
saltstacksalt>= 2016.3.5 < 2016.3.62016.3.6
saltstacksalt>= 2016.3.5 < 2016.3.62016.3.6
saltstacksalt>= 2016.3.7 < 2016.3.82016.3.8
saltstacksalt>= 2016.3.7 < 2016.3.82016.3.8

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /run HTTP/1.1
path/run
path../../../../../../../tmp/testing
command{"client":"wheel_async","fun":"pillar_roots.write","data":"testing","path":"../../../../../../../tmp/testing","username":"1","password":"1","eauth":"pam"}
  • Detect unauthenticated POST requests to the Salt API /run endpoint using the wheel_async client — look for JSON body containing 'client':'wheel_async' with arbitrary/dummy eauth credentials.
  • Successful exploitation returns a JSON response body containing all of: 'return', 'tag', 'jid', 'salt', and 'wheel' with HTTP 200 — use these as confirmation indicators.
  • Monitor for directory traversal sequences (e.g., '../../../../../../../tmp/') in POST bodies to the Salt API /run endpoint, indicative of pillar_roots.write abuse to drop files outside the intended directory.
  • Watch for new Python script files appearing in the Salt Extension Module grains directory on the master — the exploit drops a custom grain module there and waits up to 60 seconds for salt-master's maintenance loop to execute it.
  • Alert on salt-master process spawning unexpected child processes (e.g., shells or reverse shells) approximately every 60 seconds, consistent with the maintenance loop_interval grain execution trigger.
  • ·The default grain execution interval is 60 seconds but is configurable — defenders should check the 'loop_interval' setting in the master config, as a lower value means faster payload execution after drop.
  • ·The vulnerability affects salt-api specifically; deployments that do not expose salt-api externally have a reduced attack surface, but the auth bypass still applies to any exposed instance before 3002.5/3001.6/3000.8.
  • ·Local execution of commands by an administrator on the master also triggers the maintenance process check, which could accelerate payload execution if an admin happens to run commands during an active attack.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.