CVE-2020-16846

CRITICAL KEV NUCLEI LAB

SaltStack Salt REST API Arbitrary Command Execution

Title source: metasploit

Exploitation Summary

CVE-2020-16846 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 2 public exploits from researchers including hamza-boudouche, zomy22. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC repository contains a reverse shell payload and a setup script for SaltStack. The payload.sh file initiates a reverse shell connection, while salt_setup.sh automates the installation and configuration of a vulnerable SaltStack environment (v3002).

Description

An issue was discovered in SaltStack Salt through 3002. Sending crafted web requests to the Salt API, with the SSH client enabled, can result in shell injection.

Exploits (2)

nomisec WORKING POC

by hamza-boudouche · poc

https://github.com/hamza-boudouche/projet-secu

View Code ZIP pw:eip

This PoC repository contains a reverse shell payload and a setup script for SaltStack. The payload.sh file initiates a reverse shell connection, while salt_setup.sh automates the installation and configuration of a vulnerable SaltStack environment (v3002).

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: SaltStack Salt v3002

No auth needed

Prerequisites: Network access to the target · Target running vulnerable SaltStack version

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by zomy22 · poc

https://github.com/zomy22/CVE-2020-16846-Saltstack-Salt-API

View Code ZIP pw:eip

This repository contains a working PoC for CVE-2020-16846, a command injection vulnerability in SaltStack Salt API. The exploit leverages crafted web requests to achieve remote code execution via the SSH client functionality.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: SaltStack Salt API v3002

No auth needed

Prerequisites: Vulnerable SaltStack Salt API instance · Network access to the Salt API port

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

SaltStack <=3002 - Shell Injection

CRITICALby dwisiswant0

References (15)

Core 15

Core References

Release Notes x_refsource_misc

https://github.com/saltstack/salt/releases

Broken Link, Vendor Advisory x_refsource_confirm

https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/

Release Notes vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TPOGB2F6XUAIGFDTOCQDNB2VIXFXHWMA/

Mailing List, Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00029.html

Third Party Advisory vendor-advisory x_refsource_gentoo

https://security.gentoo.org/glsa/202011-13

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/160039/SaltStack-Salt-REST-API-Arbitrary-Command-Execution.html

Third Party Advisory, VDB Entry x_refsource_misc

https://www.zerodayinitiative.com/advisories/ZDI-20-1381/

Third Party Advisory, VDB Entry x_refsource_misc

https://www.zerodayinitiative.com/advisories/ZDI-20-1383/

Third Party Advisory, VDB Entry x_refsource_misc

https://www.zerodayinitiative.com/advisories/ZDI-20-1380/

Third Party Advisory, VDB Entry x_refsource_misc

https://www.zerodayinitiative.com/advisories/ZDI-20-1379/

Third Party Advisory, VDB Entry x_refsource_misc

https://www.zerodayinitiative.com/advisories/ZDI-20-1382/

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2020/12/msg00007.html

Mailing List, Third Party Advisory vendor-advisory x_refsource_debian

https://www.debian.org/security/2021/dsa-4837

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2022/01/msg00000.html

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-16846

Scores

CVSS v3 9.8

EPSS 0.9439

EPSS Percentile 100.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Lab Environment

COMMUNITY

Community Lab

docker pull praqma/network-multitool:alpine-extra

https://github.com/zomy22/CVE-2020-16846-Saltstack-Salt-API

https://github.com/hamza-boudouche/projet-secu

View in Library

Details

CISA KEV 2021-11-03

VulnCheck KEV 2021-04-24

InTheWild.io 2021-07-23

ENISA EUVD EUVD-2020-0173

CWE

CWE-78

Status published

Products (8)

debian/debian_linux 9.0

debian/debian_linux 10.0

fedoraproject/fedora 31

opensuse/leap 15.1

pypi/salt 0 - 2015.8.13PyPI

saltstack/salt 3001

saltstack/salt 3002

saltstack/salt < 2015.8.10

Published Nov 06, 2020

KEV Added Nov 03, 2021

Tracked Since Feb 18, 2026