CVE-2025-13225 – CVE-2025-13225 is an arbitrary file deletion vu... (How to Fix)

Q: What is the severity of CVE-2025-13225?

CVE-2025-13225 has a CVSS score of 5.6 (MEDIUM). CVE-2025-13225 is an arbitrary file deletion vulnerability in TanOS that allows authenticated attackers to delete files they shouldn't have access to. This affects Tanium deployments running vulnerable versions of TanOS. The vulnerability requires authentication but could lead to service disruption or data loss.

📋 TL;DR

CVE-2025-13225 is an arbitrary file deletion vulnerability in TanOS that allows authenticated attackers to delete files they shouldn't have access to. This affects Tanium deployments running vulnerable versions of TanOS. The vulnerability requires authentication but could lead to service disruption or data loss.

💻 Affected Systems

Products:

Tanium TanOS

Versions: Specific versions not detailed in reference; consult Tanium advisory TAN-2025-036

Operating Systems: Linux-based TanOS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to TanOS interface. All default configurations appear vulnerable.

📦 What is this software?

Tanos by Tanium

View all CVEs affecting Tanos →

Tanos by Tanium

View all CVEs affecting Tanos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Critical system files could be deleted, causing complete service disruption, data loss, or system instability requiring full restoration from backups.

🟠

Likely Case

Attackers delete configuration files, logs, or application data causing service degradation, audit trail loss, or operational disruption.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to non-critical files with quick detection and restoration.

🌐 Internet-Facing: MEDIUM - Requires authentication but could be exploited if credentials are compromised or through other attack vectors.

🏢 Internal Only: HIGH - Internal attackers with legitimate credentials could exploit this to disrupt operations or cover tracks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but the file deletion operation itself is straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to Tanium advisory TAN-2025-036 for specific patched versions

Vendor Advisory: https://security.tanium.com/TAN-2025-036

Restart Required: Yes

Instructions:

1. Review Tanium advisory TAN-2025-036. 2. Download and apply the TanOS patch from Tanium support portal. 3. Restart TanOS services as required. 4. Verify patch application.

🔧 Temporary Workarounds

Restrict TanOS Access

all

Limit access to TanOS interface to only necessary administrative users

Implement File Integrity Monitoring

linux

Monitor critical TanOS files for unauthorized changes or deletions

# Example using AIDE on Linux
# aide --init
# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
# aide --check

🧯 If You Can't Patch

Implement strict access controls and multi-factor authentication for TanOS administrative access
Enable comprehensive logging and monitoring of file deletion operations on TanOS systems

🔍 How to Verify

Check if Vulnerable:

Check TanOS version against affected versions listed in Tanium advisory TAN-2025-036

Check Version:

# On TanOS system
tanium version

Verify Fix Applied:

Verify TanOS version matches patched version from advisory and test file deletion permissions

📡 Detection & Monitoring

Log Indicators:

Unexpected file deletion events in TanOS logs
Multiple failed file access attempts followed by successful deletions

Network Indicators:

Unusual patterns of administrative access to TanOS interface

SIEM Query:

source="tanos*" AND (event_type="file_delete" OR action="delete") AND user!="expected_admin_user"

📊 Metadata

CVE ID: CVE-2025-13225

CVSS v3 Score: 5.6 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L

CWE: CWE-552

EPSS Score: 0.02% exploit probability (4th percentile)

Published: November 19, 2025

Last Updated: January 8, 2026

🔗 References

https://security.tanium.com/TAN-2025-036 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13225, you might also want to check these: