CVE-2025-15344
Published: 29 January 2026
Summary
CVE-2025-15344 is a medium-severity SQL Injection (CWE-89) vulnerability in Tanium Asset. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-15344 is a SQL injection vulnerability (CWE-89) affecting the Asset component in Tanium software. Tanium has addressed the issue, with the CVE published on 2026-01-29T00:16:06.930. The vulnerability carries a CVSS v3.1 base score of 6.3, rated as AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L.
An attacker with low privileges (PR:L) and network access (AV:N) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L) within the unchanged scope (S:U), enabling SQL injection to potentially manipulate database queries.
Tanium's security advisory TAN-2025-035 provides details on the vulnerability and mitigation, available at https://security.tanium.com/TAN-2025-035.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206520
Vulnerability details
Tanium addressed a SQL injection vulnerability in Asset.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a network-accessible Asset component directly maps to exploitation of a public-facing (or remotely reachable) application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of all inputs to the Asset component, blocking crafted SQL statements before they reach the database.
Restricts the database privileges of the low-privileged accounts used by Asset, limiting the confidentiality/integrity/availability impact even if injection succeeds.
Mandates prompt application of the vendor patch described in TAN-2025-035, eliminating the SQL injection flaw in the Asset component.