Rapid7 Vulnerability & Exploit Database

SaltStack Salt API Unauthenticated RCE through wheel_async client

Back to Search

SaltStack Salt API Unauthenticated RCE through wheel_async client



This module leverages an authentication bypass and directory traversal vulnerabilities in Saltstack Salt's REST API to execute commands remotely on the `master` as the root user. Every 60 seconds, `salt-master` service performs a maintenance process check that reloads and executes all the `grains` on the `master`, including custom grain modules in the Extension Module directory. So, this module simply creates a Python script at this location and waits for it to be executed. The time interval is set to 60 seconds by default but can be changed in the `master` configuration file with the `loop_interval` option. Note that, if an administrator executes commands locally on the `master`, the maintenance process check will also be performed. It has been fixed in the following installation packages: 3002.5, 3001.6 and 3000.8. Also, a patch is available for the following versions: 3002.2, 3001.4, 3000.6, 2019.2.8, 2019.2.5, 2018.3.5, 2017.7.8, 2016.11.10, 2016.11.6, 2016.11.5, 2016.11.3, 2016.3.8, 2016.3.6, 2016.3.4, 2015.8.13 and 2015.8.10. This module has been tested successfully against versions 3001.4, 3002 and 3002.2 on Ubuntu 18.04.


  • Alex Seymour
  • Christophe De La Fuente




cmd, x86, x64


Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/linux/http/saltstack_salt_wheel_async_rce
msf exploit(saltstack_salt_wheel_async_rce) > show targets
msf exploit(saltstack_salt_wheel_async_rce) > set TARGET < target-id >
msf exploit(saltstack_salt_wheel_async_rce) > show options
    ...show and set options...
msf exploit(saltstack_salt_wheel_async_rce) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security