CVE-2025-52454
📋 TL;DR
This SSRF vulnerability in Salesforce Tableau Server allows attackers to make the server send requests to internal resources, potentially accessing sensitive systems. It affects Tableau Server installations using Amazon S3 Connector modules on Windows and Linux. Organizations running affected versions are vulnerable to resource location spoofing attacks.
💻 Affected Systems
- Salesforce Tableau Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access internal systems, exfiltrate sensitive data, or pivot to other network resources by making Tableau Server request internal endpoints.
Likely Case
Unauthorized access to internal services, metadata exposure, or limited data exfiltration from accessible internal resources.
If Mitigated
Limited impact with proper network segmentation, firewall rules blocking internal requests, and minimal exposed attack surface.
🎯 Exploit Status
Exploitation requires access to Tableau Server functionality and knowledge of internal network resources.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.1.3, 2024.2.12, or 2023.3.19
Vendor Advisory: https://help.salesforce.com/s/articleView?id=005105043&type=1
Restart Required: Yes
Instructions:
1. Download appropriate patch version from Salesforce Tableau downloads. 2. Backup current installation. 3. Run installer with administrative privileges. 4. Restart Tableau Server services.
🔧 Temporary Workarounds
Disable Amazon S3 Connector
allTemporarily disable the vulnerable connector module if not required for operations.
Tableau Server configuration tool or administrative interface
Network Segmentation
linuxImplement firewall rules to restrict Tableau Server from making requests to internal resources.
iptables -A OUTPUT -p tcp --dport 80 -j DROP
iptables -A OUTPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Tableau Server from internal resources
- Monitor all outbound requests from Tableau Server for suspicious patterns
🔍 How to Verify
Check if Vulnerable:
Check Tableau Server version and verify Amazon S3 Connector is installed.Check Version:
tsm versionVerify Fix Applied:
Confirm version is 2025.1.3, 2024.2.12, or 2023.3.19 or later using version check command.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from Tableau Server
- Requests to internal IP ranges or unexpected domains
Network Indicators:
- Tableau Server making requests to internal services
- Unusual traffic patterns from Tableau Server to non-S3 endpoints
SIEM Query:
source="tableau_server" AND (dest_ip=10.0.0.0/8 OR dest_ip=172.16.0.0/12 OR dest_ip=192.168.0.0/16)