Login Sign Up

CVE-2025-15310

7.8 HIGH

📋 TL;DR

CVE-2025-15310 is a local privilege escalation vulnerability in Tanium Patch Endpoint Tools that allows authenticated local users to gain elevated privileges. This affects organizations using Tanium's patch management solution where users have local access to endpoints. The vulnerability stems from improper link resolution (CWE-59) in the patch tools.

💻 Affected Systems

Products:
  • Tanium Patch Endpoint Tools
Versions: Specific versions not detailed in advisory; all versions prior to patch are likely affected
Operating Systems: Windows, Linux, macOS (if Tanium supports)
Default Config Vulnerable: ⚠️ Yes
Notes: Requires local authenticated access to endpoints where Tanium Patch tools are installed.

📦 What is this software?

Endpoint Configuration Toolset Solution by Tanium

View all CVEs affecting Endpoint Configuration Toolset Solution →

Patch Endpoint Tools by Tanium

View all CVEs affecting Patch Endpoint Tools →

Patch Endpoint Tools by Tanium

View all CVEs affecting Patch Endpoint Tools →

Patch Endpoint Tools by Tanium

View all CVEs affecting Patch Endpoint Tools →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker could gain SYSTEM/root privileges on endpoints, potentially compromising the entire Tanium-managed environment and enabling lateral movement across the network.

🟠

Likely Case

Malicious insiders or compromised user accounts could escalate privileges on individual endpoints to install malware, steal credentials, or bypass security controls.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to isolated endpoints with minimal lateral movement capability.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring authenticated access to endpoints.
🏢 Internal Only: HIGH - Internal users with local access to Tanium-managed endpoints can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local authenticated access but likely involves simple path manipulation techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in advisory; refer to Tanium security update

Vendor Advisory: https://security.tanium.com/TAN-2025-001

Restart Required: Yes

Instructions:

1. Access Tanium console 2. Navigate to Patch module 3. Deploy updated Patch Endpoint Tools 4. Restart affected endpoints 5. Verify deployment success

🔧 Temporary Workarounds

Restrict local access

all

Limit local user access to endpoints with Tanium Patch tools installed

Monitor for suspicious activity

all

Implement monitoring for privilege escalation attempts on Tanium-managed endpoints

🧯 If You Can't Patch

  • Implement strict least privilege access controls for all local users
  • Deploy endpoint detection and response (EDR) solutions to monitor for privilege escalation patterns

🔍 How to Verify

Check if Vulnerable:

Check Tanium console for Patch Endpoint Tools version and compare against patched version in advisory

Check Version:

On Windows: Check Tanium installation directory for version info. On Linux: Check Tanium agent status and version

Verify Fix Applied:

Verify Patch Endpoint Tools have been updated to patched version and no privilege escalation attempts are detected

📡 Detection & Monitoring

Log Indicators:

  • Unusual privilege escalation events
  • Suspicious process creation from Tanium directories
  • Failed privilege escalation attempts

Network Indicators:

  • Unusual outbound connections from Tanium-managed endpoints post-exploitation

SIEM Query:

EventID=4688 OR ProcessName contains 'tanium' AND ParentProcess contains 'tanium' AND NewIntegrityLevel='System'

📊 Metadata

CVE ID: CVE-2025-15310
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-59
EPSS Score: 0.02% exploit probability (2.9th percentile)
Published: February 10, 2026
Last Updated: February 24, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15310, you might also want to check these:

CVE-2024-37143 10.0

This CVE describes an Improper Link Resolution Before File Access vulnerability in multiple Dell Pow...

Same vulnerability type (CWE-59)
CVE-2024-28185 10.0

CVE-2024-28185 is a critical symlink vulnerability in Judge0 that allows attackers to write arbitrar...

Same vulnerability type (CWE-59)
CVE-2024-48862 9.8

CVE-2024-48862 is a path traversal vulnerability in QNAP's QuLog Center that allows remote attackers...

Same vulnerability type (CWE-59)