CVE-2025-22237 is a command injection vulnerability in VMware SALT versions 3006.x and 3007.x, specifically within the 'on demand' pillar functionality. The vulnerability arises when an attacker possessing a valid minion key crafts a malicious git URL that is processed by the master server. Due to insufficient sanitization of this input, the attacker can execute arbitrary commands on the master with the same privileges as the master process. This vulnerability is classified under CWE-77 (Improper Neutralization of Special Elements used in a Command). The attack vector is local (AV:L), requiring the attacker to have high privileges (PR:H) via possession of a minion key, but no user interaction is needed (UI:N). The scope is unchanged (S:U), but the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H), reflected in a CVSS 3.1 base score of 6.7 (medium severity). No patches or exploits are currently publicly available, but the vulnerability poses a significant risk due to the elevated privileges of the master process. The vulnerability was reserved in early 2025 and published in June 2025. The master server, which orchestrates configuration management and automation, is critical infrastructure in many organizations, making this vulnerability particularly concerning if exploited.

If exploited, this vulnerability allows an attacker with a minion key to execute arbitrary commands on the VMware SALT master server with full privileges. This can lead to complete compromise of the master server, resulting in unauthorized access to sensitive configuration data, disruption of automation workflows, and potential lateral movement within the network. The attacker could manipulate or disrupt critical infrastructure managed by SALT, causing operational downtime or data breaches. Given the master server’s central role, the impact extends beyond a single system, potentially affecting multiple managed nodes and services. The requirement for a minion key limits the attack surface but does not eliminate risk, especially in environments where key management is weak or compromised. Organizations relying heavily on VMware SALT for configuration management and automation are at risk of significant operational and security impacts.

Organizations should immediately audit and restrict access to minion keys, ensuring they are only available to trusted entities and rotated regularly. Implement strict access controls and monitoring around the SALT master and minion key usage. Disable or restrict the 'on demand' pillar functionality if not required. Monitor logs for unusual git URL usage or unexpected command executions on the master server. VMware should be engaged to provide patches or updates; until then, consider isolating the SALT master server in a segmented network zone to limit exposure. Employ defense-in-depth strategies such as host-based intrusion detection systems (HIDS) and endpoint protection on the master server. Conduct regular security assessments and penetration testing focused on SALT deployments. Finally, educate administrators on secure key management and the risks associated with elevated privileges in automation tools.