CVE-2020-11652

MEDIUM KEV

SaltStack Salt < 2019.2.4 - Authenticated Path Traversal via ClearFuncs Methods

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-11652 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 10 public exploits from researchers including Jasper Lievisse Adriaanse, Al1ex, limon768, including a Metasploit module auxiliary/gather/saltstack_salt_root_key.

AI-analyzed exploit summary This exploit leverages CVE-2020-11651 (authentication bypass) and CVE-2020-11652 (directory traversal) in SaltStack to achieve remote code execution. It includes functions to read/write files and execute commands on the target system.

Description

An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.

Exploits (10)

exploitdb WORKING POC
by Jasper Lievisse Adriaanse · textremotemultiple
https://www.exploit-db.com/exploits/48421

This exploit leverages CVE-2020-11651 (authentication bypass) and CVE-2020-11652 (directory traversal) in SaltStack to achieve remote code execution. It includes functions to read/write files and execute commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SaltStack < 3000.2, < 2019.2.4, 2017.*, 2018.*
No auth needed
Prerequisites: Network access to SaltStack master · SaltStack master running a vulnerable version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 6 stars
by Al1ex · remote
https://github.com/Al1ex/CVE-2020-11652

This PoC exploits CVE-2020-11651 and CVE-2020-11652 in SaltStack to achieve remote code execution (RCE) on the master or minions. It leverages authentication bypass and arbitrary file operations to execute commands or upload files.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SaltStack (versions < 2019.2.4 and 3000 < 3000.2)
No auth needed
Prerequisites: Network access to SaltStack master port (default 4506) · Vulnerable SaltStack version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 4 stars
by limon768 · remote
https://github.com/limon768/CVE-2020-11652-POC

This is a functional exploit PoC for CVE-2020-11652, which leverages authentication bypass (CVE-2020-11651) to achieve remote code execution on SaltStack masters. It includes methods for file read/write, command execution, and reverse shell establishment.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SaltStack Salt (versions < 2019.2.4 and 3000 < 3000.2)
No auth needed
Prerequisites: Network access to SaltStack master (default port 4506) · Vulnerable SaltStack version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by fanjq99 · remote
https://github.com/fanjq99/CVE-2020-11652

This PoC exploits CVE-2020-11652, an authentication bypass vulnerability in SaltStack, to read arbitrary files (e.g., /etc/passwd) by leveraging improper authentication handling in the Salt master's ZeroMQ interface.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: SaltStack Salt (versions before 3000.2, 2019.2.4, 2018.3.4)
No auth needed
Prerequisites: Network access to Salt master's ZeroMQ port (default 4506) · Salt master service running and exposed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/Drew-Alleman/CVE-2020-11651

This repository contains a functional exploit for CVE-2020-11651 and CVE-2020-11652, which are authentication bypass and remote code execution vulnerabilities in SaltStack. The exploit leverages the SaltStack master's authentication mechanism to add a new user or replace the root user by modifying /etc/passwd and /etc/shadow files.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SaltStack < 3000.2, < 2019.2.4, 2017.*, 2018.*
No auth needed
Prerequisites: Network access to the SaltStack master server · SaltStack master server running a vulnerable version
devstral-2 · analyzed Feb 25, 2026 Full analysis →
vulncheck_xdb SCANNER
remote
https://github.com/appcheck-ng/salt-rce-scanner-CVE-2020-11651-CVE-2020-11652

This repository contains a scanner for detecting CVE-2020-11651 and CVE-2020-11652 vulnerabilities in SaltStack. The code includes reporting utilities and a scanner module, but no functional exploit code is present.

Classification
Scanner 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: SaltStack
No auth needed
Prerequisites: network access to target SaltStack instance
devstral-2 · analyzed Feb 25, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/ssrsec/CVE-2020-11651-CVE-2020-11652-EXP

This repository contains a functional exploit for CVE-2020-11651 and CVE-2020-11652, targeting SaltStack's authentication bypass and directory traversal vulnerabilities. The exploit allows for remote command execution, file reading, and reverse shell establishment on vulnerable SaltStack masters.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SaltStack (versions before 2019.2.4 and 3000.2)
No auth needed
Prerequisites: Network access to SaltStack master on port 4506 · Vulnerable SaltStack version
devstral-2 · analyzed Feb 25, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/jasperla/CVE-2020-11651-poc

This repository contains a functional exploit for CVE-2020-11651 and CVE-2020-11652, which are authentication bypass and directory traversal vulnerabilities in SaltStack. The exploit demonstrates arbitrary command execution, file read/write operations, and key extraction on vulnerable Salt master servers and minions.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: SaltStack Salt (versions before 3000.2, 2019.2.4, 2019.2.5)
No auth needed
Prerequisites: network access to Salt master (port 4506) · vulnerable Salt version
devstral-2 · analyzed Feb 25, 2026 Full analysis →
metasploit WORKING POC
by F-Secure, wvu · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/saltstack_salt_root_key.rb

This Metasploit module exploits an unauthenticated access vulnerability in SaltStack Salt master's ZeroMQ request server to disclose the root key used for authenticating administrative commands. It targets versions 2019.2.3 and earlier, as well as 3000.1 and earlier.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: SaltStack Salt Master Server versions 2019.2.3 and earlier, 3000.1 and earlier
No auth needed
Prerequisites: Network access to the SaltStack Salt master server on port 4506
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GREAT
by F-Secure, wvu · rubypocpython
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/saltstack_salt_unauth_rce.rb

This Metasploit module exploits unauthenticated access to SaltStack Salt's ZeroMQ request server (CVE-2020-11651) to execute arbitrary code as root on the master or minions. It leverages the runner() and _send_pub() methods for RCE.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SaltStack Salt (versions 2019.2.3 and earlier, 3000.1 and earlier)
No auth needed
Prerequisites: Network access to the SaltStack master's ZeroMQ port (default 4506) · Vulnerable SaltStack version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (13)

Core 13
Core References
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00047.html
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2020/dsa-4676
Third Party Advisory x_refsource_confirm
http://www.vmware.com/security/advisories/VMSA-2020-0009.html
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/05/msg00027.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00070.html
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4459-1/

Scores

CVSS v3 6.5
EPSS 0.9368
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact partial

Details

CISA KEV 2021-11-03
VulnCheck KEV 2020-07-22
InTheWild.io 2021-07-23
ENISA EUVD EUVD-2020-0172
CWE
CWE-22
Status published
Products (12)
blackberry/workspaces_server 9.1.0
blackberry/workspaces_server < 7.1.3
canonical/ubuntu_linux 16.04
canonical/ubuntu_linux 18.04
debian/debian_linux 8.0
debian/debian_linux 9.0
debian/debian_linux 10.0
opensuse/leap 15.1
pypi/salt 0 - 2019.2.4PyPI
saltstack/salt < 2019.2.4
... and 2 more
Published Apr 30, 2020
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026