CVE-2020-25592

CRITICAL

SaltStack Salt - Improper Authentication Bypass via eauth Credential Validation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-25592. PoCs published by KPC, wvu, including Metasploit module exploits/linux/http/saltstack_salt_api_cmd_exec.

AI-analyzed exploit summary This Metasploit module exploits an authentication bypass (CVE-2020-25592) and command injection (CVE-2020-16846) in SaltStack Salt's REST API to execute arbitrary commands as root. It leverages the 'ssh_priv' parameter in the REST API to inject commands, bypassing authentication via the 'eauth' parameter.

Description

In SaltStack Salt through 3002, salt-netapi improperly validates eauth credentials and tokens. A user can bypass authentication and invoke Salt SSH.

Exploits (1)

metasploit WORKING POC EXCELLENT

by KPC, wvu · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/saltstack_salt_api_cmd_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits an authentication bypass (CVE-2020-25592) and command injection (CVE-2020-16846) in SaltStack Salt's REST API to execute arbitrary commands as root. It leverages the 'ssh_priv' parameter in the REST API to inject commands, bypassing authentication via the 'eauth' parameter.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: SaltStack Salt (versions before 2015.8.10, 2015.8.13, 2016.3.4, 2016.3.6, 2016.3.8, 2016.11.3, 2016.11.6, 2016.11.10, 2017.7.4, 2017.7.8, 2018.3.5, 2019.2.5, 2019.2.6, 3000.3, 3000.4, 3001.1, 3001.2, and 3002)

No auth needed

Prerequisites: Network access to the SaltStack REST API (typically port 8000) · REST API must be exposed and accessible

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →