Skip to content

TAN-2025-008

Tanium addressed an arbitrary file deletion vulnerability in several Deploy Package Gallery packages.

Severity: Medium

Base Score: 5.5

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Impact

This vulnerability could allow an attacker with access to a system running the Tanium Client to delete files or folders they should not have access to.

Products Affected

Deploy Package Gallery Packages:

  • InPlace Upgrade to Windows {version} - Phase1 - {action} prior to version 1.0.7.4.

  • Windows Upgrade Cleanup prior to version 1.0.6.

Available Updates

Deploy Package Gallery Packages:

  • InPlace Upgrade to Windows {version} - Phase1 - {action} version 1.0.7.4 and later.

  • Windows Upgrade Cleanup version 1.0.6 and later.

In addition to importing the latest version of impacted packages from the Package Gallery, users should delete any prior "InPlace Upgrade" or "Windows Upgrade Cleanup" packages from the 'Software Packages' page in Deploy.

Workaround and Mitigations

None.

Acknowledgements

None.