How to fix EUVD-2025-18251?

Within 24 hours: Inventory all Salt Master instances and document minion trust relationships; restrict network access to Salt Master ports to only known, trusted minions; review recent event bus logs for suspicious activity. Within 7 days: Implement strict authentication and authorization controls for minion communications; disable the '_minion_event' method if not operationally required; segment minion networks from critical systems. Within 30 days: Evaluate alternative orchestration tools or upgrade Salt when a patch becomes available; conduct a full audit of minion-to-master interactions and implement detailed logging and monitoring of event bus activity.

Is Suse affected by EUVD-2025-18251?

A high-severity vulnerability in Salt Master allows authenticated minions to inject arbitrary events into the master's event bus, potentially enabling unauthorized command execution, data exfiltration, or system compromise across your infrastructure.

EUVD-2025-18251

| CVE-2025-22239 HIGH

2025-06-13 [email protected]

GHSA-c46w-gr7f-jm2p

8.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 14, 2026 - 21:34 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 21:34 euvd

EUVD-2025-18251

CVE Published

Jun 13, 2025 - 07:15 nvd

HIGH 8.1

Description

Arbitrary event injection on Salt Master. The master's "_minion_event" method can be used by and authorized minion to send arbitrary events onto the master's event bus.

Analysis

CVE-2025-22239 is an arbitrary event injection vulnerability in SaltStack's master node that allows an authorized minion to inject malicious events onto the master's event bus via the '_minion_event' method. This affects Salt Master deployments where minions have event publishing capabilities, enabling authenticated attackers to manipulate internal event flows and potentially trigger unintended master behaviors. The CVSS 8.1 score reflects high confidentiality and integrity impact with local attack vector, though exploitation requires prior authentication as an authorized minion.

Technical Context

SaltStack (also known as Salt) is a Python-based infrastructure automation and configuration management platform that uses a master-minion architecture communicating over ZeroMQ. The vulnerability exists in the Salt Master's '_minion_event' method, which processes events published by minions onto the master's internal event bus—a critical messaging backbone used for orchestration, job tracking, and inter-component communication. The root cause is classified under CWE-285 (Improper Authorization), indicating insufficient validation of event sources and content before processing minion-submitted events. An authorized minion can craft arbitrary event payloads that the master accepts and processes without proper authorization checks, potentially allowing injection of events that trigger actions intended only for administrative or system-level sources. The event bus architecture means injected events propagate to all event listeners and reactors on the master.

Affected Products

SaltStack Salt Master (specific version range not provided in available data, but likely affects recent versions up to a patch release). CPE data would typically be: cpe:2.3:a:saltproject:salt:*:*:*:*:*:*:*:* with version constraints to be determined from vendor advisory. The vulnerability is specific to master nodes (not standalone minions), making it relevant for organizations running the 'salt-master' service. Affected configurations include any deployment where: (1) the Salt Master is running with its event bus accessible, (2) minions are registered and authenticated to the master, and (3) the '_minion_event' RPC method is enabled (likely default). No version information available; check SaltProject official advisories and release notes for specific patched versions.

Remediation

Immediate actions: (1) Disable or restrict access to the '_minion_event' RPC method if not required for your deployment (check /etc/salt/master configuration and reactor configuration), (2) Isolate Salt Master event bus access to trusted network segments, (3) Review Salt event reactor rules to identify which actions could be triggered by injected events and disable unnecessary reactors. Patch-based remediation: Update SaltStack Salt to the patched version (version number requires checking SaltProject's official CVE advisory at https://docs.saltproject.io/ or https://github.com/saltstack/salt/releases). Workarounds: (1) Implement strict input validation in custom event reactors on the master, (2) Use event ACLs or event tagging to distinguish trusted vs. minion-sourced events, (3) Monitor event bus for suspicious patterns using Salt's event logging capabilities ('salt-run state.event'), (4) Restrict minion authentication to necessary minions only and audit minion keys regularly. Long-term: Upgrade to Salt versions post-patch, review CWE-285 (improper authorization) patterns in custom Salt configurations, and implement event bus monitoring and alerting.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +40

POC: 0

Vendor Status

Ubuntu

Priority: Medium

salt

Release	Status	Version
trusty	needs-triage	-
xenial	needs-triage	-
bionic	needs-triage	-
jammy	needs-triage	-
noble	DNE	-
oracular	DNE	-
plucky	DNE	-
upstream	needs-triage	-
questing	DNE	-

Debian

salt

Release	Status	Fixed Version	Urgency
(unstable)	fixed	(unfixed)	-

EUVD-2025-18251 vulnerability details – vuln.today

Back

EUVD-2025-18251

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

EUVD-2025-18251

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

External POC / Exploit Code