[SB 20.16] critical flaw in SaltStack may lead to RCE and Infrastructure-compromise (CVE-2020-11651 )

On 2020-04-30 F-Secure published an Advisory with some critical Bugs in Saltstack, leading to a complete compromise of the Salt-Master and possibly Minions.

SwitHak released an more detailed CheatSheet on that issue, highlighting all essential information.

saltsstack swithak

While releasing this a day before holidays in europe, various ORGs got compromised within 1 day or 2:

POCs exists:

PostMortem - Analysis

Saltstack-Release-Notes (Link)

saltsstack release notes {% .img-responsive %}


  • 2020-05-05 - new sources and detailed information
  • 2020-05-06 - PostMortem
  • 2020-05-28 - more fallout

Fragen? Kontakt: info@zero.bs