CVE-2025-62349 in Salt
Summary
by MITRE • 01/30/2026
Salt contains an authentication protocol version downgrade weakness that can allow a malicious minion to bypass newer authentication/security features by using an older request payload format, enabling minion impersonation and circumventing protections introduced in response to prior issues.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/04/2026
The vulnerability identified as CVE-2025-62349 resides within the Salt configuration management system, specifically targeting its authentication protocol implementation. This weakness represents a protocol version downgrade attack vector that fundamentally undermines the security posture of Salt deployments by allowing malicious actors to exploit legacy authentication mechanisms. The issue stems from the system's failure to properly enforce version validation during authentication exchanges, creating an opportunity for attackers to manipulate protocol versions and bypass contemporary security controls. This vulnerability directly impacts the integrity of the authentication process and compromises the trust model that Salt relies upon for secure remote execution and configuration management.
The technical flaw manifests as a lack of robust protocol version verification within Salt's authentication subsystem, where the system accepts and processes requests using older payload formats regardless of the established security protocol version. This behavior creates a downgrade attack surface where a malicious minion can craft authentication requests using deprecated message structures that were previously accepted by the system. The vulnerability exploits the absence of strict version checking mechanisms that should validate incoming authentication payloads against the expected protocol version, allowing attackers to submit requests formatted according to older specifications that contain security bypass patterns. This weakness operates at the protocol level, affecting the core authentication logic that governs how minions communicate with the Salt master.
Operationally, this vulnerability enables sophisticated attacks where malicious minions can impersonate legitimate systems by leveraging older authentication protocols that were designed without modern security considerations. The impact extends beyond simple authentication bypass to include potential privilege escalation and unauthorized access to sensitive configuration data. Attackers can exploit this weakness to gain unauthorized access to Salt master systems and potentially compromise the entire configuration management infrastructure. The vulnerability is particularly dangerous in environments where Salt is used for critical infrastructure management, as it allows attackers to bypass security controls that were specifically implemented to address previous authentication-related issues, effectively undoing security improvements that were previously deployed.
Mitigation strategies for CVE-2025-62349 should focus on implementing strict protocol version enforcement and disabling support for deprecated authentication mechanisms. Organizations should ensure that Salt master configurations enforce minimum protocol versions and reject any authentication requests that do not comply with current security standards. This includes configuring the system to reject legacy authentication payloads and implementing proper version negotiation protocols that prevent downgrade attacks. Additionally, security teams should conduct comprehensive audits of their Salt deployments to identify and disable any deprecated authentication features that may still be enabled. The implementation of proper logging and monitoring for authentication protocol version mismatches can help detect potential exploitation attempts. This vulnerability aligns with CWE-327, which addresses the use of weak cryptographic algorithms and protocol downgrade attacks, and maps to ATT&CK technique T1566 for credential access through social engineering and protocol manipulation. Organizations should also consider implementing network segmentation and access controls to limit the potential impact of compromised minions and ensure that authentication security controls remain effective against evolving attack vectors.