Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2025-62349
PUBLISHED
More InfoOfficial Page
Assigner-vmware
Assigner Org ID-dcf2e128-44bd-42ed-91e8-88f912c1401d
View Known Exploited Vulnerability (KEV) details
Published At-30 Jan, 2026 | 18:59
Updated At-31 Jan, 2026 | 04:56
Rejected At-
▼CVE Numbering Authority (CNA)
Salt Master authentication protocol downgrade may enable minion impersonation

Salt contains an authentication protocol version downgrade weakness that can allow a malicious minion to bypass newer authentication/security features by using an older request payload format, enabling minion impersonation and circumventing protections introduced in response to prior issues.

Affected Products
Vendor
Salt Project
Product
Salt
Collection URL
https://saltproject.io/
Package Name
salt
Default Status
unaffected
Versions
Affected
  • From 3006.12 before 3006.17 (semver)
Vendor
Salt Project
Product
Salt
Collection URL
https://saltproject.io/
Package Name
salt
Default Status
unaffected
Versions
Affected
  • From 3007.4 before 3007.9 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-287CWE-287 Improper Authentication
Type: CWE
CWE ID: CWE-287
Description: CWE-287 Improper Authentication
Metrics
VersionBase scoreBase severityVector
3.16.2MEDIUM
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L
4.07.5HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
Version: 3.1
Base score: 6.2
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L
Version: 4.0
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Upgrade Salt to a version that includes the authentication protocol downgrade fix and supports enforcing minimum authentication protocol versions (e.g., 3006.17+ on the 3006 line or 3007.9+ on the 3007 line). Ensure the Salt master enforces a safe minimum by using the minimum_auth_version configuration option (default 3 in fixed releases).

Configurations
Workarounds

If you must keep older minions temporarily, control exposure by upgrading the master first and using minimum_auth_version according to Salt guidance: fixed releases default to enforcing protocol v3+. If older minions cannot authenticate, temporarily set minimum_auth_version: 0 during a controlled upgrade window, then upgrade minions and restore the stricter minimum.

Exploits
Credits
reporter
Barney Sowood
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://docs.saltproject.io/en/latest/topics/releases/3006.17.html
release-notes
vendor-advisory
https://docs.saltproject.io/en/latest/topics/releases/3007.9.html
release-notes
vendor-advisory
Hyperlink: https://docs.saltproject.io/en/latest/topics/releases/3006.17.html
Resource:
release-notes
vendor-advisory
Hyperlink: https://docs.saltproject.io/en/latest/topics/releases/3007.9.html
Resource:
release-notes
vendor-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found