Port reference
Port 4505 (TCP) – SaltStack Salt master (ZeroMQ)
ZeroMQ publish port of the Salt master where minions subscribe to receive commands.
Default state
Open and bound to all interfaces on Salt masters by default, alongside the return port 4506. Authentication is at the Salt protocol layer, which has had critical auth-bypass bugs.
Common attacks
- Unauthenticated authentication bypass against the Salt master (CVE-2020-11651)
- Directory traversal reading or writing master files (CVE-2020-11652)
- Master-key theft leading to arbitrary command execution on all minions
- Mass exploitation deploying cryptominers across managed fleets
Hardening
- Never expose 4505/4506 to the internet; restrict to managed minion networks
- Patch Salt promptly — CVE-2020-11651/11652 enable full master RCE
- Bind the master to a private interface and firewall the publish/return ports
- Enable and verify minion key acceptance; rotate keys after any exposure
- Monitor master logs and run Salt as a least-privileged, segmented service
nmap snippet
nmap -p4505,4506 --script http-title <target>Replace <target> with the host or range you're authorized to scan.
What runs on port 4505?
Port 4505 is the SaltStack publish bus. The Salt master uses a ZeroMQ publisher on 4505 to push commands and state to its minions, which subscribe to receive them. It works as a pair with the return port 4506, where minions send back results and fetch files. Together they form the control plane of a Salt fleet.
Why it matters for security
A Salt master can execute commands as root on every managed minion, so the publish bus is one of the most sensitive endpoints in an infrastructure. If the master is reachable and unpatched, an attacker who compromises it gains simultaneous code execution across the entire fleet — a catastrophic blast radius.
How it's attacked
The 2020 vulnerabilities made this concrete. CVE-2020-11651 is an unauthenticated authentication bypass and CVE-2020-11652 a directory traversal. Chained, they let an attacker reach the master, steal its root key, and run arbitrary commands on all minions. Mass scans followed within days, deploying cryptominers across exposed fleets.
Hardening checklist
Never expose 4505/4506 to the internet — restrict them to the managed minion network. Patch Salt promptly against CVE-2020-11651/11652 and later advisories. Bind the master to a private interface, firewall the publish/return ports, and verify minion key acceptance, rotating keys after any suspected exposure. Monitor master logs and run Salt as a least-privileged, segmented service. Use the nmap snippet above to check exposure on hosts you are authorized to test.
Related ports
Frequently asked questions
- What is the difference between port 4505 and 4506?
- 4505 is the Salt publish bus where minions subscribe for commands from the master. 4506 is the return/request port minions use to send results and request files. Both must be protected together.
- How serious were the 2020 SaltStack vulnerabilities?
- Critical. CVE-2020-11651 is an authentication bypass and CVE-2020-11652 a directory traversal. Chained, they let an unauthenticated attacker reach the Salt master, steal its key, and run arbitrary commands as root across every minion.