CVE-2025-22240 is a vulnerability identified in VMware SALT, specifically affecting versions 3006.x and 3007.x. The flaw exists in the find_file method of the GitFS class, where the path construction uses the Python os.path.join function with unvalidated input from the "tgt_env" variable. This lack of input validation allows an attacker with certain privileges to manipulate the path, enabling arbitrary directory creation or file deletion on the system where the SALT Master process runs. Since the SALT Master typically has elevated permissions to manage configuration files and orchestrate remote commands, exploitation of this vulnerability could lead to deletion of critical files or directories that the Master process has access to. The vulnerability requires local access (AV:L), high complexity (AC:H), high privileges (PR:H), and user interaction (UI:R) to be exploited, as per the CVSS vector. The impact on confidentiality, integrity, and availability is high because arbitrary file deletion can disrupt system operations, cause data loss, and potentially facilitate further attacks by removing security controls or logs. No known exploits are currently reported in the wild, but the vulnerability is publicly disclosed and rated with a CVSS score of 6.3, indicating a medium severity level. Given the role of VMware SALT in infrastructure automation and configuration management, this vulnerability poses a significant risk to environments relying on these versions for orchestration and configuration tasks.

For European organizations, the impact of this vulnerability can be substantial, especially for enterprises and service providers that utilize VMware SALT for infrastructure automation and configuration management. Exploitation could lead to unauthorized deletion of critical configuration files or directories, resulting in service disruptions, downtime, and potential loss of data integrity. This could affect cloud service providers, managed service providers, financial institutions, and large enterprises that depend on automated configuration management for operational continuity. Additionally, deletion of security-related files or logs could hinder incident response and forensic investigations, increasing the risk of undetected lateral movement or persistent threats. The requirement for high privileges and user interaction limits the attack surface but does not eliminate risk, particularly in environments where insider threats or compromised privileged accounts exist. The medium severity rating suggests that while the vulnerability is not trivial to exploit, the consequences of successful exploitation warrant prompt attention to avoid operational and reputational damage.

1. Immediate patching: Although no patch links are provided in the current data, organizations should monitor VMware advisories closely and apply patches or updates as soon as they become available for versions 3006.x and 3007.x. 2. Restrict access: Limit access to the SALT Master system to trusted administrators only, enforcing strict access controls and multi-factor authentication to reduce the risk of privilege misuse. 3. Input validation: Implement additional input validation or sanitization controls at the application or orchestration layer to prevent malicious manipulation of the "tgt_env" variable or similar inputs. 4. Monitoring and alerting: Deploy file integrity monitoring on critical directories managed by SALT to detect unauthorized file deletions or directory changes promptly. 5. Least privilege principle: Ensure the SALT Master process runs with the minimum necessary permissions to reduce the potential impact of file deletions. 6. User interaction controls: Since exploitation requires user interaction, educate privileged users about phishing and social engineering risks that could trigger this vulnerability. 7. Incident response readiness: Prepare and test incident response plans specifically for configuration management compromise scenarios, including backup and recovery procedures for critical configuration files.