cbcvebase.
CVE-2021-25282
published 2021-02-27

CVE-2021-25282: An issue was discovered in through SaltStack Salt before 3002.5. The salt.wheel.pillar_roots.write method is vulnerable to directory traversal.

PriorityP277critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
EXPLOIT
EPSS
92.31%
99.8th percentile
An issue was discovered in through SaltStack Salt before 3002.5. The salt.wheel.pillar_roots.write method is vulnerable to directory traversal.

Affected

46 ranges· showing 25
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debiandebian_linux
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
saltstacksalt< 2015.8.102015.8.10
saltstacksalt>= 0 < 2015.8.102015.8.10
saltstacksalt>= 0 < 2015.8.132015.8.13
saltstacksalt>= 0 < 2015.8.8+ds-1ubuntu0.1+esm22015.8.8+ds-1ubuntu0.1+esm2
saltstacksalt>= 0 < 2017.7.4+dfsg1-1ubuntu18.04.2+esm12017.7.4+dfsg1-1ubuntu18.04.2+esm1
saltstacksalt>= 2015.8.11 < 2015.8.132015.8.13
saltstacksalt>= 2015.8.11 < 2015.8.132015.8.13
saltstacksalt>= 2016.11.0 < 2016.11.32016.11.3
saltstacksalt>= 2016.11.4 < 2016.11.52016.11.5
saltstacksalt>= 2016.11.4 < 2016.11.52016.11.5
saltstacksalt>= 2016.11.7 < 2016.11.102016.11.10
saltstacksalt>= 2016.11.7 < 2016.11.102016.11.10
saltstacksalt>= 2016.3.0 < 2016.3.42016.3.4
saltstacksalt>= 2016.3.0 < 2016.3.42016.3.4
saltstacksalt>= 2016.3.0 < 2016.11.52016.11.5
saltstacksalt>= 2016.3.5 < 2016.3.62016.3.6
saltstacksalt>= 2016.3.5 < 2016.3.62016.3.6
saltstacksalt>= 2016.3.7 < 2016.3.82016.3.8
saltstacksalt>= 2016.3.7 < 2016.3.82016.3.8

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/saltstack_salt_wheel_async_rce.rb
  • Monitor for HTTP requests to the SaltStack Salt REST API targeting the `wheel_async` client endpoint, which is abused for unauthenticated RCE via authentication bypass combined with directory traversal in `salt.wheel.pillar_roots.write`.
  • Detect creation of new or unexpected Python script files in the Salt Extension Module (grains) directory on the master, as the exploit drops a malicious grain module there for execution.
  • Alert on directory traversal patterns (e.g., `../`) in arguments passed to the `salt.wheel.pillar_roots.write` method, as this is the specific vulnerable code path.
  • The salt-master maintenance loop (default every 60 seconds, configurable via `loop_interval`) reloads and executes all grains including custom modules — monitor for unexpected process execution spawned by salt-master at this interval after suspicious file writes.
  • ·The `loop_interval` option in the salt-master configuration file controls how frequently the maintenance process (which triggers grain execution) runs. The default is 60 seconds, but a shorter interval set by an admin would accelerate payload execution after exploitation.
  • ·Local administrator commands executed on the master also trigger the maintenance process check, meaning exploitation payload execution is not limited to the timed loop — it can be accelerated by admin activity.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:P
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_redhat9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.