Cyber Resilience

CVE-2025-62348

High

Published: 30 January 2026

Published
30 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 7.3 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0001 0.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-62348 is a high-severity Code Injection (CWE-94) vulnerability in Saltproject (inferred from references). Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-62348 affects Salt's junos execution module, which contains unsafe YAML decode/load usage. A specially crafted YAML payload processed by the module can lead to unintended code execution under the context of the Salt process. This vulnerability, published on 2026-01-30, carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-94 (code injection).

An attacker with local access and low privileges can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation allows arbitrary code execution in the context of the Salt process, potentially compromising confidentiality, integrity, and availability with high impact within the unchanged scope.

The Salt project advisory at https://docs.saltproject.io/en/latest/topics/releases/3006.17.html provides details on mitigation, including patches addressing this issue.

EU & UK References

Vulnerability details

Salt's junos execution module contained an unsafe YAML decode/load usage. A specially crafted YAML payload processed by the junos module could lead to unintended code execution under the context of the Salt process.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

Unsafe YAML deserialization in Salt enables local low-priv arbitrary Python code execution (CWE-94), directly mapping to privilege escalation via exploitation and Python interpreter abuse.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-26030Shared CWE-94
CVE-2025-21292Shared CWE-94
CVE-2026-26682Shared CWE-94
CVE-2026-22807Shared CWE-94
CVE-2025-69872Shared CWE-94
CVE-2024-7425Shared CWE-94
CVE-2025-33240Shared CWE-94
CVE-2026-27952Shared CWE-94
CVE-2025-25943Shared CWE-94
CVE-2025-64691Shared CWE-94

Affected Assets

Saltproject
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the vulnerability by requiring timely patching of the unsafe YAML decode/load in Salt's junos module as provided in the vendor advisory.

prevent

Mandates validation of YAML inputs to the junos module, blocking specially crafted payloads that enable code injection and execution.

prevent

Enforces least functionality by disabling or restricting the unnecessary junos execution module, preventing exploitation of its unsafe YAML processing.

References