CVE-2025-22241 is a medium severity vulnerability affecting VMware SALT versions 3006.x and 3007.x. The vulnerability arises from improper validation of input used to construct file paths within the VirtKey class, which is invoked during requests for "on-demand pillar" data. Specifically, unvalidated input is used to create paths to the "pki directory," a critical location that stores authentication keys. This flaw is compounded by the default configuration behavior that auto-accepts Minion authentication keys if an "authorization file" is pre-placed at a specific location. An attacker with high privileges and local access could exploit this vulnerability by manipulating the input to overwrite file contents within the pki directory, potentially replacing or injecting malicious authorization files. This could allow unauthorized Minion authentication key acceptance, leading to elevated access within the Salt infrastructure. The CVSS 3.1 score of 5.6 reflects a medium severity, with the vector indicating that exploitation requires local access (AV:L), high attack complexity (AC:H), high privileges (PR:H), and user interaction (UI:R). The impact on confidentiality and integrity is high, as unauthorized key acceptance could lead to unauthorized command execution or data exposure. Availability impact is not significant. No known exploits are currently reported in the wild, and no patches or mitigations have been explicitly linked yet. The vulnerability is present in default configurations, increasing the risk if systems remain unpatched or unconfigured securely.

For European organizations, this vulnerability poses a risk primarily to those using VMware SALT for configuration management and automation, especially in environments where local administrative access is shared or less strictly controlled. Exploitation could lead to unauthorized access to critical infrastructure components managed via SALT, enabling attackers to execute arbitrary commands, manipulate configurations, or exfiltrate sensitive data. This could disrupt business operations, compromise data confidentiality, and undermine trust in automated management systems. Given the reliance on automation in sectors such as finance, manufacturing, and critical infrastructure within Europe, exploitation could have cascading effects. However, the requirement for local high-privilege access and user interaction limits the attack surface, reducing the likelihood of widespread remote exploitation. Organizations with strict access controls and monitoring may mitigate risk, but insider threats or compromised administrative accounts remain a concern.

1. Restrict local administrative access strictly to trusted personnel and enforce the principle of least privilege to reduce the risk of exploitation. 2. Review and harden the default configuration of VMware SALT, specifically disabling or securing the auto-acceptance of Minion authentication keys via authorization files. 3. Implement rigorous input validation and path sanitization in custom configurations or scripts interacting with the VirtKey class to prevent path traversal or file overwrite attacks. 4. Monitor file system changes within the pki directory for unauthorized modifications using file integrity monitoring tools. 5. Employ multi-factor authentication and session monitoring for administrative accounts to detect and prevent unauthorized use. 6. Stay alert for official patches or advisories from VMware and apply them promptly once available. 7. Conduct regular security audits and penetration testing focusing on local privilege escalation and configuration management components. 8. Educate administrators about the risks of placing authorization files and the importance of secure key management practices.