Tanium Endpoint Configuration Toolset Arbitrary File Deletion Vulnerability (CVE-2025-15313/15314)

Vulnerability Information Advisory ID: TAN-2025-010 CVE IDs: CVE-2025-15313, CVE-2025-15314 Release Date: February 21, 2025 Vulnerability Description: Tanium addressed an arbitrary file deletion vulnerability in the Endpoint Configuration Toolset Solution. Severity: Medium CVSS Base Score: 5.5 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Impact This vulnerability may allow an attacker with access to a system running the Tanium Client to delete files or folders they would not normally have permission to access. Affected Products 7.4 and 7.5 Versions: - End User Notifications versions prior to 1.18.1105 2024H1 Version: - Endpoint Configuration Toolset Solution versions prior to Update 12 (v1.40.42) 2024H2 Version: - Endpoint Configuration Toolset Solution versions prior to Update 2 (v1.47.10) Vulnerable Tool Versions: end-user-cx versions prior to 1.4.1175 (1.4 to 1.4.1175) end-user-cx versions prior to 1.6.926 (1.6 to 1.6.926) end-user-cx versions prior to 1.8.21 (1.8 to 1.8.21) Tanium EUSS versions prior to 1.17.41 (1.17 to 1.17.41) Tanium EUSS versions prior to 1.18.28 (1.18 to 1.18.28) Available Updates: 7.4 and 7.5 Versions: End User Notifications 1.18.1105 and later 2024H1 Version: Endpoint Configuration Toolset Solution Update 12 (v1.40.42) and later 2024H2 Version: Endpoint Configuration Toolset Solution Update 2 (v1.47.10) and later Additional Information: For Tanium on-prem customers using ECM, deploy one of the provided inventories to all endpoints via Change Management in Endpoint Configuration. Workarounds and Mitigations: None Acknowledgments: None

Goal Reached Thanks to every supporter — we hit 100%!

Tanium Endpoint Configuration Toolset Arbitrary File Deletion Vulnerability (CVE-2025-15313/15314)