TCP 4506
Synopsis
- Salt (SaltStack) uses TCP port 4506 by default for the Salt master’s “return” channel, where minions authenticate and send job results back to the master (4505 is the publish/event bus).
- Real-world products that embed Salt—such as SUSE Manager/Uyuni and VMware vRealize Automation SaltStack Config—also listen on TCP 4506 on their Salt masters.
- In typical deployments, salt-minion agents on Linux/Unix systems connect outbound to the master’s TCP 4506 (and 4505) for configuration management and remote execution.
- Associated with exploitation: in 2020, internet-exposed Salt masters on ports 4505/4506 were mass-exploited via RCE vulnerabilities (CVE-2020-11651 and CVE-2020-11652), enabling attackers to execute commands and drop malware.
Observed activity
Last 30 days
Detailed chart