Critical Vulnerabilities in SaltStack CVE-2020-11651 & CVE-2020-11652

Update: Critical Vulnerabilities in SaltStack being actively exploited in the wild


Vulnerabilities within SaltStack infrastructure automation software may lead to RCE attacks and full system takeover. According to security researchers who found these vulnerabilities, attacks are expected in the wild as soon as today.

The vulnerabilities have been dubbed CVE-2020-11651 & CVE-2020-11652 [still waiting on some cool names at time of press].


Salt is an open source infrastructure software for IT automation and configuration management.

Within this system stack you can find Salt ‘masters’ and ‘minions’. According to Salt’s Architecture Model  ‘The Salt master is responsible for sending commands to Salt minions, and then aggregating and displaying the results of those commands. A single Salt master can manage thousands of systems.’

CVE-2020-11651, an authentication bypass vulnerability, may allow minions to run arbitrary commands as root. CVE-2020-11652 is a directory traversal flaw, whereby input is not sanitised correctly allowing the attacker access to files.

Using this pair of vulnerabilities an attacker can perform full Remote Command Execution (RCE) as root on both master and associated minions.

In a nutshell these vulnerabilities allow an attacker to bypass authentication to read and write files and issue arbitrary commands to multiple managed systems. Given the nature of Salt’s architecture model this could allow an attacker to issue these commands to a whole bunch of servers.

The security researchers responsible for uncovering these vulnerabilities estimate that more than 6,000 vulnerable Salt instances are exposed.


SaltStack released an update [3000.2] in response to the vulnerabilities and if you haven’t already updated, it is strongly recommended to do so.

It is also advised to restrict access to salt master ports (4506) to known minions and block the wider internet until a more robust solution is produced.



We are already seeing examples of attacks in the wild. Please make sure to patch your systems asap.


Get started with Appcheck

No software to download or install.

Contact us or call us 0113 887 8380

Start your free trial

Your details
IP Addresses

Get in touch

Please enable JavaScript in your browser to complete this form.