CVE-2025-15320
📋 TL;DR
A denial of service vulnerability in Tanium Client could allow an attacker to crash the client service, disrupting endpoint management and monitoring. This affects organizations using Tanium for endpoint management. The vulnerability requires network access to the Tanium Client service.
💻 Affected Systems
- Tanium Client
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete disruption of Tanium endpoint management across the enterprise, preventing security updates, compliance checks, and incident response capabilities.
Likely Case
Temporary loss of visibility and management for affected endpoints until service is restarted, potentially impacting security operations.
If Mitigated
Minimal impact with proper network segmentation and access controls limiting exposure to the Tanium Client service.
🎯 Exploit Status
Based on CWE-605 (Multiple Binds to the Same Port), exploitation likely involves sending crafted network traffic to the Tanium Client service port.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to Tanium advisory TAN-2025-023 for specific patched versions
Vendor Advisory: https://security.tanium.com/TAN-2025-023
Restart Required: Yes
Instructions:
1. Review Tanium advisory TAN-2025-023. 2. Update Tanium Client to patched version via Tanium Console. 3. Deploy updated client packages to all endpoints. 4. Verify successful deployment through Tanium reporting.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict network access to Tanium Client service ports (default 17472) to only Tanium Servers and authorized management systems.
🧯 If You Can't Patch
- Implement strict network segmentation to limit access to Tanium Client ports
- Monitor for unexpected connections or traffic spikes to Tanium Client service ports
🔍 How to Verify
Check if Vulnerable:
Check Tanium Client version against advisory TAN-2025-023. Use Tanium Console to query client versions across endpoints.Check Version:
On Windows: 'sc query TaniumClient' or check service properties. On Linux: 'systemctl status taniumclient' or check installed package version.Verify Fix Applied:
Verify all endpoints report patched Tanium Client version in Tanium Console. Monitor for client service crashes.📡 Detection & Monitoring
Log Indicators:
- Tanium Client service crash events in system logs
- Unexpected service restarts of Tanium Client
Network Indicators:
- Unusual traffic patterns to Tanium Client port 17472
- Multiple connection attempts from non-Tanium systems
SIEM Query:
EventID=7031 OR EventID=7034 OR 'TaniumClient' AND 'stopped' OR 'crashed' in Windows Event Logs