CVE-2021-25281

Name: CVE-2021-25281
Creator: NVD / NIST
Published: 2021-02-27T05:15:13.847+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10EPSS 72.95%

Last modified Jun 17, 2026

CVE-2021-25281 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. EPSS estimates a 72.95% chance of exploitation in the next 30 days.

Description

An issue was discovered in through SaltStack Salt before 3002.5. salt-api does not honor eauth credentials for the wheel_async client. Thus, an attacker can remotely run any wheel modules on the master.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

72.95%

99.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-287

Affected Software

Vendor	Product	Versions
Saltstack	Salt	< 2015.8.10
Saltstack	Salt	>= 2015.8.11, < 2015.8.13
Saltstack	Salt	>= 2016.3.0, < 2016.3.4
Saltstack	Salt	>= 2016.3.5, < 2016.3.6
Saltstack	Salt	>= 2016.3.7, < 2016.3.8
Saltstack	Salt	>= 2016.3.9, < 2016.11.3
Saltstack	Salt	>= 2016.11.4, < 2016.11.5
Saltstack	Salt	>= 2016.11.7, < 2016.11.10
Saltstack	Salt	>= 2017.5.0, < 2017.7.8
Saltstack	Salt	>= 2018.2.0, <= 2018.3.5
Saltstack	Salt	>= 2019.2.0, < 2019.2.5
Saltstack	Salt	>= 2019.2.6, < 2019.2.8
Saltstack	Salt	>= 3000, < 3000.6
Saltstack	Salt	>= 3001, < 3001.4
Saltstack	Salt	>= 3002, < 3002.5
Fedoraproject	Fedora	32
Fedoraproject	Fedora	33
Fedoraproject	Fedora	34
Debian	Debian Linux	9.0
Debian	Debian Linux	10.0
Debian	Debian Linux	11.0

References

http://packetstormsecurity.com/files/162058/SaltStack-Salt-API-Unauthenticated-Remote-Command-Execution.htmlExploit, Third Party Advisory, VDB Entry
https://github.com/saltstack/salt/releasesRelease Notes, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/11/msg00009.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH/Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/Mailing List, Third Party Advisory
https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/Vendor Advisory
https://security.gentoo.org/glsa/202103-01Third Party Advisory
https://security.gentoo.org/glsa/202310-22Third Party Advisory
https://www.debian.org/security/2021/dsa-5011Third Party Advisory
https://www.saltstack.com/blog/active-saltstack-cve-announced-2021-jan-21/Vendor Advisory
http://packetstormsecurity.com/files/162058/SaltStack-Salt-API-Unauthenticated-Remote-Command-Execution.htmlExploit, Third Party Advisory, VDB Entry
https://github.com/saltstack/salt/releasesRelease Notes, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/11/msg00009.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7GRVZ5WAEI3XFN2BDTL6DDXFS5HYSDVB/Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUGLOJ6NXLCIFRD2JTXBYQEMAEF2B6XH/Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YOGNT2XWPOYV7YT75DN7PS4GIYWFKOK5/Mailing List, Third Party Advisory
https://saltproject.io/security_announcements/active-saltstack-cve-release-2021-feb-25/Vendor Advisory
https://security.gentoo.org/glsa/202103-01Third Party Advisory
https://security.gentoo.org/glsa/202310-22Third Party Advisory
https://www.debian.org/security/2021/dsa-5011Third Party Advisory
https://www.saltstack.com/blog/active-saltstack-cve-announced-2021-jan-21/Vendor Advisory

Timeline

Published: Feb 27, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-25281?

How severe is CVE-2021-25281?

CVE-2021-25281 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 72.95% probability of exploitation in the next 30 days.

How do I fix CVE-2021-25281?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-25281?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST