CVE-2020-28243

HIGH

SaltStack Salt < 3002.5 - Command Injection via Crafted Process Name

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-28243. PoCs published by stealthcopter.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2020-28243, a command injection vulnerability in SaltStack Salt. The exploit leverages a specially crafted process name and file descriptor to achieve local privilege escalation when the master calls restartcheck.

Description

An issue was discovered in SaltStack Salt before 3002.5. The minion's restartcheck is vulnerable to command injection via a crafted process name. This allows for a local privilege escalation by any user able to create a files on the minion in a non-blacklisted directory.

Exploits (1)

nomisec WORKING POC 18 stars

by stealthcopter · poc

https://github.com/stealthcopter/CVE-2020-28243

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2020-28243, a command injection vulnerability in SaltStack Salt. The exploit leverages a specially crafted process name and file descriptor to achieve local privilege escalation when the master calls restartcheck.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: SaltStack Salt (versions 2016.3.0rc2 to 3002.5)

No auth needed

Prerequisites: Write/Exec access to a directory not ignored by SaltStack · Master must call restartcheck.restartcheck on the minion

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (11)

Core 11

Core References

Mailing List, Third Party Advisory vendor-advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/

Mailing List, Third Party Advisory vendor-advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/

Mailing List, Third Party Advisory vendor-advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH/

Third Party Advisory vendor-advisory

https://security.gentoo.org/glsa/202103-01

Mailing List, Third Party Advisory mailing-list

https://lists.debian.org/debian-lts-announce/2021/11/msg00009.html

Third Party Advisory vendor-advisory

https://www.debian.org/security/2021/dsa-5011

Mailing List, Third Party Advisory mailing-list

https://lists.debian.org/debian-lts-announce/2022/01/msg00000.html

Third Party Advisory vendor-advisory

https://security.gentoo.org/glsa/202310-22

Exploit, Third Party Advisory

https://github.com/stealthcopter/CVE-2020-28243

Vendor Advisory

https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/

Exploit, Third Party Advisory

https://sec.stealthcopter.com/cve-2020-28243/

Scores

CVSS v3 7.8

EPSS 0.0141

EPSS Percentile 81.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-77

Status published

Products (8)

debian/debian_linux 9.0

debian/debian_linux 10.0

debian/debian_linux 11.0

fedoraproject/fedora 32

fedoraproject/fedora 33

fedoraproject/fedora 34

pypi/salt 0 - 2015.8.13PyPI

saltstack/salt < 2015.8.10

Published Feb 27, 2021

Tracked Since Feb 18, 2026