How to fix EUVD-2025-18254?

Within 24 hours: Inventory all Salt Minion deployments running version 3007.0 or later and assess which systems are exposed. Within 7 days: Implement network segmentation to restrict minion-to-minion communication and enforce strict access controls on minion key storage. Within 30 days: Monitor vendor security announcements closely for patch availability and develop a deployment plan; consider evaluating alternative configuration management solutions if patching timelines are unacceptable.

Is Suse affected by EUVD-2025-18254?

A high-severity authorization bypass in Salt Minion (versions 3007.0+) allows attackers who possess a minion key to execute arbitrary jobs across other minions in the infrastructure, potentially compromising multiple systems simultaneously.

EUVD-2025-18254

| CVE-2025-22236 HIGH

2025-06-13 [email protected]

GHSA-jh7c-xh74-h76f

Authentication Bypass Suse

8.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 14, 2026 - 21:34 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 21:34 euvd

EUVD-2025-18254

CVE Published

Jun 13, 2025 - 07:15 nvd

HIGH 8.1

DescriptionNVD

Minion event bus authorization bypass. An attacker with access to a minion key can craft a message which may be able to execute a job on other minions (>= 3007.0).

AnalysisAI

CVE-2025-22236 is an authorization bypass vulnerability in SaltStack Minion's event bus that allows an attacker with valid minion key credentials to craft specially-crafted messages and execute arbitrary jobs on other minions within the same Salt infrastructure. Affecting SaltStack versions 3007.0 and later, this vulnerability has a CVSS score of 8.1 (High) and requires high privileges but can escalate impact across the entire minion network. The vulnerability represents a critical lateral movement and privilege escalation vector in Salt deployments, though exploitation requires pre-existing minion key compromise.

Technical ContextAI

SaltStack's event bus is the core messaging layer that coordinates communication between the Salt master and minions. The vulnerability stems from improper authorization validation (CWE-287: Improper Authentication) in the event bus message handling logic, specifically in versions >= 3007.0. The event bus processes job execution requests, and the authorization bypass allows an attacker holding a valid minion key to forge messages that bypass normal authentication/authorization checks. Rather than validating that a message sender is authorized to execute jobs on target minions, the bus accepts crafted messages from any authenticated minion. This is a broken access control issue where message origin authentication exists but message intent authorization does not. The affected component is libsaltstack/minion/event_bus (or equivalent internal module handling inter-minion communication). CPE notation would be: cpe:2.3:a:saltstack:salt:*:*:*:*:*:*:*:* (versions 3007.0 and later).

Vendor StatusVendor

Ubuntu

Priority: Medium

salt

Release	Status	Version
trusty	needs-triage	-
xenial	needs-triage	-
bionic	needs-triage	-
jammy	needs-triage	-
noble	DNE	-
oracular	DNE	-
plucky	DNE	-
upstream	needs-triage	-
questing	DNE	-

Debian

salt

Release	Status	Fixed Version	Urgency
(unstable)	fixed	(unfixed)	-

EUVD-2025-18254 vulnerability details – vuln.today

Back

EUVD-2025-18254

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

Vendor StatusVendor

Ubuntu

Debian

Share

External POC / Exploit Code