CVE-2025-52449 Overview
CVE-2025-52449 is an Unrestricted Upload of File with Dangerous Type vulnerability (CWE-434) affecting Salesforce Tableau Server on both Windows and Linux platforms. The flaw exists within the Extensible Protocol Service modules, allowing attackers to upload files with deceptive filenames that can lead to alternative execution paths, ultimately resulting in Remote Code Execution (RCE).
This vulnerability enables attackers on an adjacent network to bypass file type restrictions and upload malicious files that are subsequently executed by the server. The attack requires user interaction but can have significant confidentiality and integrity impacts on affected systems.
Critical Impact
Successful exploitation allows Remote Code Execution through deceptive filename uploads, potentially compromising Tableau Server installations across enterprise environments.
Affected Products
- Tableau Server versions before 2025.1.3
- Tableau Server versions before 2024.2.12
- Tableau Server versions before 2023.3.19
Discovery Timeline
- July 25, 2025 - CVE-2025-52449 published to NVD
- October 31, 2025 - Last updated in NVD database
Technical Details for CVE-2025-52449
Vulnerability Analysis
The vulnerability resides in Tableau Server's Extensible Protocol Service modules, which fail to properly validate uploaded file types. The flaw allows attackers to craft files with deceptive filenames that bypass the server's file type restrictions. Once uploaded, these malicious files can be executed through alternative execution paths within the application framework.
The attack requires the attacker to be on an adjacent network and relies on user interaction to trigger the vulnerable upload functionality. When successfully exploited, the vulnerability can lead to full compromise of confidentiality and integrity on the target system, though availability is not directly impacted.
Root Cause
The root cause is improper validation of file uploads within the Extensible Protocol Service modules. The application fails to adequately verify file types beyond their extensions, allowing attackers to use deceptive filenames that masquerade as safe file types while containing executable or dangerous content. This is a classic CWE-434 (Unrestricted Upload of File with Dangerous Type) vulnerability pattern.
Attack Vector
The attack is conducted from an adjacent network position, requiring the attacker to have network proximity to the target Tableau Server. The exploitation flow involves:
- An attacker crafts a malicious file with a deceptive filename designed to bypass file type validation
- The attacker submits the file through the Extensible Protocol Service upload functionality
- The server fails to properly validate the true file type and accepts the upload
- User interaction triggers the execution of the uploaded file through an alternative execution path
- The malicious payload executes with the privileges of the Tableau Server process
The vulnerability can potentially propagate beyond the vulnerable component, affecting other parts of the system (changed scope).
Detection Methods for CVE-2025-52449
Indicators of Compromise
- Unusual file uploads to Tableau Server with mismatched extensions and content types
- Unexpected process execution originating from Tableau Server upload directories
- Anomalous network traffic from Tableau Server processes to external destinations
- Log entries showing file uploads with suspicious naming patterns or double extensions
Detection Strategies
- Monitor Tableau Server logs for file upload activities targeting the Extensible Protocol Service
- Implement file integrity monitoring on Tableau Server upload and temporary directories
- Deploy network-based detection for unusual outbound connections from Tableau Server hosts
- Analyze file metadata during upload to detect extension/content type mismatches
Monitoring Recommendations
- Enable verbose logging for Tableau Server file upload operations
- Configure SIEM alerts for suspicious file upload patterns and subsequent process execution
- Implement endpoint detection and response (EDR) monitoring on Tableau Server hosts
- Review Tableau Server access logs for anomalous user behavior preceding file uploads
How to Mitigate CVE-2025-52449
Immediate Actions Required
- Upgrade Tableau Server to version 2025.1.3, 2024.2.12, or 2023.3.19 or later immediately
- Restrict network access to Tableau Server to trusted segments only
- Review recent file uploads for any suspicious or unexpected content
- Implement additional file type validation at the network perimeter if possible
Patch Information
Salesforce has released patched versions of Tableau Server that address this vulnerability. Organizations should upgrade to the following minimum versions:
- Tableau Server 2025.1.3 or later (for 2025.x branch)
- Tableau Server 2024.2.12 or later (for 2024.x branch)
- Tableau Server 2023.3.19 or later (for 2023.x branch)
For detailed patch information and upgrade instructions, refer to the Salesforce Help Article.
Workarounds
- Implement network segmentation to limit adjacent network access to Tableau Server
- Deploy web application firewall (WAF) rules to inspect and block suspicious file uploads
- Disable or restrict access to the Extensible Protocol Service modules if not required
- Enforce strict user authentication and limit upload privileges to essential personnel only
# Example: Network segmentation using firewall rules
# Restrict Tableau Server access to trusted subnets only
iptables -A INPUT -p tcp --dport 443 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
# Enable additional logging for upload monitoring
# Add to Tableau Server configuration
tsm configuration set -k native_api.log_level -v debug
tsm pending-changes apply
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
