CVE-2025-26498
📋 TL;DR
This vulnerability allows attackers to upload malicious files to Salesforce Tableau Server and traverse directory paths to write files to arbitrary locations. It affects Tableau Server installations on Windows and Linux systems running vulnerable versions.
💻 Affected Systems
- Salesforce Tableau Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via remote code execution by uploading webshells or malicious executables to sensitive locations, potentially leading to data theft, ransomware deployment, or lateral movement.
Likely Case
Unauthorized file upload leading to web server compromise, data exfiltration, or denial of service through file system corruption.
If Mitigated
Limited impact with proper network segmentation, file upload validation, and least privilege file system permissions preventing successful exploitation.
🎯 Exploit Status
Requires ability to upload files to vulnerable endpoint. Path traversal aspect increases impact but requires knowledge of target system paths.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.1.3, 2024.2.12, or 2023.3.19
Vendor Advisory: https://help.salesforce.com/s/articleView?id=005132575&type=1
Restart Required: Yes
Instructions:
1. Backup Tableau Server configuration and data. 2. Download appropriate patched version from Salesforce portal. 3. Run installer with administrative privileges. 4. Restart Tableau Server services. 5. Verify successful update via Tableau Server Admin Console.
🔧 Temporary Workarounds
Restrict File Upload Endpoints
allImplement web application firewall rules or reverse proxy configurations to block or sanitize file uploads to vulnerable endpoints.
File System Permissions Hardening
linuxApply strict file system permissions to Tableau Server directories to prevent arbitrary file writes.
chmod 750 /opt/tableau/tableau_server
chown tableau:tableau /opt/tableau/tableau_server
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Tableau Server from sensitive systems
- Deploy file integrity monitoring and web application firewall with specific rules for file upload patterns
🔍 How to Verify
Check if Vulnerable:
Check Tableau Server version via Admin Console or command: 'tsm version' on Linux or 'Tableau Server Manager' on Windows.Check Version:
tsm versionVerify Fix Applied:
Confirm version is 2025.1.3, 2024.2.12, or 2023.3.19 or later. Test file upload functionality with malicious payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual file upload patterns in Tableau Server logs
- Failed file write attempts to system directories
- Multiple upload requests with path traversal sequences (../)
Network Indicators:
- HTTP POST requests to Tableau Server upload endpoints with suspicious filenames
- Unusual outbound connections following file uploads
SIEM Query:
source="tableau_server" AND (url="*upload*" OR method="POST") AND (filename="*..*" OR filename="*.exe" OR filename="*.php" OR filename="*.jsp")