CVE-2025-62349 | THREATINT

Description

Salt contains an authentication protocol version downgrade weakness that can allow a malicious minion to bypass newer authentication/security features by using an older request payload format, enabling minion impersonation and circumventing protections introduced in response to prior issues.

PUBLISHED Reserved 2025-10-10 | Published 2026-01-30 | Updated 2026-01-31 | Assigner vmware

MEDIUM: 6.2CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L

HIGH: 7.5CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-287 Improper Authentication

Product status

Default status

unaffected

3006.12 (semver) before 3006.17

affected

Default status

unaffected

3007.4 (semver) before 3007.9

affected

Credits

Barney Sowood reporter

References

docs.saltproject.io/en/latest/topics/releases/3006.17.html (Salt 3006.17 release notes (fix and minimum_auth_version)) release-notes vendor-advisory

docs.saltproject.io/en/latest/topics/releases/3007.9.html (Salt 3007.9 release notes (fix and minimum_auth_version)) release-notes vendor-advisory

cve.org (CVE-2025-62349)

nvd.nist.gov (CVE-2025-62349)

Download JSON