Blog /

Incident Report: Breach of devices due to a vulnerability in SaltStack

Date: 07 May 2020
Category: engineering

A new exploit on SaltStack was actively exploited, resulting in the installation of malware on some devices that were online during the time of the attack. Fortunately, the malware was a more uncomplicated variety, and we were able to remove it successfully from all affected devices.

We take data security and privacy very seriously on the, and we are re-evaluating all internal components for security.

Technical Details

On April 30, F-secure discovered a new vulnerability found in SaltStack(CVE-2020-11651), which has affected other major companies as well. SaltStack is a popular tool used by major organizations. uses it for managing devices on the platform. The vulnerability on SaltStack allowed for remote code execution on online devices on the platform.

On May 3, the exploit was actively exploited by a malicious party on as well as several thousand other servers resulting in the installation of malware on devices. We noticed the presence of the malware internally on May 4. The malware turned out to be a crypto-miner that starts using up all the CPU cycles of the device. It also adds a crontab entry to have persistence. We removed the malware from all active devices and also released the script we used to remove it as well.

Unfortunately, the patch on 29 April was missed by us, resulting in the vulnerability being exploitable for four days. The long weekend with engineers being away contributed to the delay as well.


  • 29-04-2020 – Public patches for the attack are pushed into SaltStack upstream.
  • 03-05-2020 06:45:00 UTC – devices are hit with the malware.
  • 04-05-2020 04:40:00 UTC – Confirmed report of malware on devices.
  • 04-05-2020 06:40:00 UTC – Device Management is shutdown on to prevent any additional payloads from being executed.
  • 04-05-2020 13:30:00 UTC – All devices that were affected are successfully cleaned.
  • 04-05-2020 15:04:00 UTC – Patched version is deployed, and device management is back online.

How it affects you as the user of

We have reached out to all the users who were directly affected by this malware. If you did not get an email, you were not part of the affected group.

As a security measure, we have refreshed security and authentication tokens for all devices on boarded by users on our platform. As a result, all your devices will have to be re-authenticated with the platform before you can use them again. We have preserved all the labels and metadata associated with a device.

To re-authenticate your devices, follow the steps below:

  1. Please select the device.
  2. Click on Token button.
  3. Copy the curl command
  4. Execute it on the physical device.

This only applies for older users. New users can follow the onboarding tutorial.

Measures taken by for future security

We are making sure that all our internet-facing components are secured against generic vulnerabilities in the future. To prevent us from missing essential patches, we are making sure that we read and acknowledge patch notes/emails for all vital services used by

Security has always been an important priority at We have timely external third-party security testing of our platform done and also continue to work on improving the general security of the components.

Feel free to reach out to us at for any questions or clarifications.

Recent Articles

—enabling ‘Warehouse Automation for anyone’ through award-winning distributed intelligence and an innovative modular design SCHAUMBURG, IL / ACCESSWIRE / July 9, 2024 / Rapyuta Robotics Inc., a leading provider of...

read me

AI-based continuous improvement—which leverages AI algorithms and machine learning models to continuously analyze data and uncover opportunities for improvement—enhances operational efficiency, reduces errors, and swiftly adapts to changing environments. By...

read me

On average, warehouse associates spend 50–60 percent of their time walking to find items within the facility. Rapyuta pick assist robots (PA-AMRs) in Distribution Centers (DCs) dramatically cut down this...

read me
In Vol.12 of this series, we interview an engineer who has a PhD in semiconductor technology and is active in the world of robotics, which began as a hobby! What does he find attractive about the robotics industry, what is rewarding about his work at Laputa Robotics, and what are his new challenges?
read me