What are the critical vulnerabilities in Salesforce Tableau Server, and how can they be exploited by attackers?

On June 26, 2025, Salesforce disclosed multiple critical vulnerabilities in Tableau Server affecting versions prior to 2025.1.3, 2024.2.12, and 2023.3.19. These flaws enable attackers to execute remote code, bypass authentication, traverse directories, and exploit SSRF bugs. One severe issue (CVE-2025-52449) involves unrestricted file uploads, which may allow full system takeover. Organizations are urged to immediately patch to the latest versions and update associated drivers to avoid exposure.

  Cyber Security & Ethical Hacking   Jul 28, 2025   65  Add to Reading List
What are the critical vulnerabilities in Salesforce Tableau Server, and how can they be exploited by attackers?

Table of Contents

What Are the Latest Salesforce Tableau Vulnerabilities About?

Salesforce's Tableau Server, widely used for business data visualization, is currently under security scrutiny due to the discovery of eight critical vulnerabilities. These flaws could allow Remote Code Execution (RCE), unauthorized access to production databases, and Server-Side Request Forgery (SSRF). Affected versions include those prior to 2025.1.3, 2024.2.12, and 2023.3.19.

The vulnerabilities were publicly disclosed in a security advisory published on June 26, 2025, prompting immediate patching instructions for all enterprise users.

Why Are These Tableau Vulnerabilities Considered Critical?

These vulnerabilities collectively expose an extensive attack surface across Tableau Server components, including:

  • Extensible Protocol Service modules

  • Tabdoc API command modules

  • Flow Data Source and Amazon S3 connectors

  • EPS Server components

The most severe flaw, CVE-2025-52449, is rated 8.5 on the CVSS 3.1 scale and allows RCE via unrestricted file uploads using deceptive filenames.

Breakdown of the Key CVEs and Their Impact

CVE ID Vulnerability CVSS Score Impact
CVE-2025-52449 Unrestricted Upload of Dangerous File Type 8.5 Remote Code Execution (RCE)
CVE-2025-52446/7/8 Authorization Bypass via User-Controlled Key 8.0 Unauthorized DB Access
CVE-2025-52452 Path Traversal in Tabdoc Modules 8.5 File System Exposure
CVE-2025-52453 SSRF in Flow Data Source Modules 8.2 Internal System Access
CVE-2025-52454 SSRF in Amazon S3 Connector 8.2 Cloud Resource Spoofing
CVE-2025-52455 SSRF in EPS Server 8.1 Network Request Manipulation

What Makes CVE-2025-52449 the Most Severe?

The Extensible Protocol Service module flaw allows attackers to upload arbitrary files disguised with safe-looking extensions. These files can then bypass security filters and get executed on the server, leading to full system takeover.

Such vulnerabilities are particularly dangerous in enterprise deployments where Tableau Server is integrated with internal services and sensitive data platforms.

How Do the Authorization Bypass Vulnerabilities Work?

Three flaws (CVE-2025-52446, 52447, and 52448) stem from improper handling of user-controlled keys in:

  • tab-doc API modules

  • set-initial-sql tabdoc commands

  • validate-initial-sql APIs

These weaknesses allow attackers to modify queries or interface behaviors, granting them unauthorized access to sensitive production databases.

Understanding the Path Traversal Attack (CVE-2025-52452)

A classic security issue, this path traversal vulnerability exists in the duplicate-data-source function of the tabdoc API. It lacks proper checks on pathnames, allowing attackers to traverse directories and expose sensitive files across the server's file system.

What Are Server-Side Request Forgery (SSRF) Vulnerabilities?

The three SSRF vulnerabilities in Tableau can let attackers spoof internal server requests, reaching private endpoints or cloud infrastructure:

  • CVE-2025-52453: Flow Data Source

  • CVE-2025-52454: Amazon S3 Connector

  • CVE-2025-52455: EPS Server

These flaws allow attackers to gain access to internal APIs, metadata, or even cloud secrets, which can then be used for lateral movement or data exfiltration.

Who Is Affected?

All enterprise organizations running Tableau Server on versions older than:

  • 2025.1.3

  • 2024.2.12

  • 2023.3.19

This includes installations using integrated tools like Trino (formerly Presto) or custom authentication modules.

How Can Organizations Mitigate These Vulnerabilities?

Immediate Actions:

  • Patch Now: Upgrade to the latest version within your current major release.

  • Update Trino Drivers: Ensure that all JDBC/ODBC drivers are updated to their latest versions.

  • Check Server Logs: Audit for suspicious activity post-disclosure (June 26, 2025).

  • Restrict Upload Paths: Disable or sandbox untrusted file uploads if patching is delayed.

Long-Term Measures:

  • Consider shifting to cloud-hosted Tableau services, which receive automatic updates.

  • Implement Web Application Firewalls (WAFs) to detect SSRF and RCE patterns.

  • Enforce zero-trust network policies around your Tableau Server environment.

Salesforce's Official Recommendation

Salesforce urges customers to:

“Update to the latest supported Maintenance Release as per your deployment branch. Unsupported versions should be upgraded immediately to a supported branch to ensure patch compliance and security.”

Conclusion: Act Now to Avoid Data Breaches

With multiple CVEs affecting core Tableau functionalities, these flaws represent a serious threat to enterprise data security. Organizations using Tableau Server should prioritize patching, conduct internal risk assessments, and ensure zero-day protections are in place. RCE and SSRF vulnerabilities are actively exploited in the wild—delay in patching could lead to real-world breaches.

FAQs

What versions of Tableau Server are affected by these vulnerabilities?

Versions before 2025.1.3, 2024.2.12, and 2023.3.19 are affected by the recent vulnerabilities.

What is the most critical vulnerability discovered?

CVE-2025-52449 is the most critical flaw, allowing unrestricted file uploads that lead to remote code execution.

How can attackers exploit CVE-2025-52449?

By uploading files with deceptive extensions, attackers can trigger remote code execution and potentially gain full system access.

What are CVE-2025-52446, 52447, and 52448?

These are authorization bypass vulnerabilities that let attackers manipulate API inputs and access production databases.

What is the risk of Server-Side Request Forgery in Tableau?

SSRF vulnerabilities (CVE-2025-52453, 52454, 52455) allow attackers to spoof internal server requests and access protected systems.

What is CVE-2025-52452 and how dangerous is it?

It is a path traversal vulnerability that lets attackers access restricted directories using directory traversal techniques.

What is the CVSS score of the most severe flaw?

CVE-2025-52449 and CVE-2025-52452 have a CVSS 3.1 score of 8.5, indicating high severity.

Is there any fix available?

Yes, Salesforce has released patched versions for all supported branches. Immediate updates are recommended.

How can enterprises stay protected?

Update to the latest Tableau Server Maintenance Release and use the most recent Trino driver if applicable.

Are there known exploits in the wild?

As of now, no public exploitation has been reported, but the nature of the vulnerabilities makes urgent patching critical.

Does this affect Tableau Cloud?

No, the vulnerabilities are specific to on-premises Tableau Server deployments.

What modules are impacted by the bugs?

Modules like Extensible Protocol Service, tab-doc API, Flow Data Source, Amazon S3 Connector, and EPS Server are affected.

How are user-controlled keys used in the attack?

They manipulate tabdoc commands and APIs to bypass authorization checks.

Can these vulnerabilities lead to data leaks?

Yes, unauthorized access to production databases can expose sensitive organizational data.

What is Salesforce's recommendation?

Upgrade immediately and discontinue the use of any unsupported Tableau Server versions.

Are there workarounds if patching is not possible?

Salesforce has not released any official workarounds; patching is the only secure fix.

Who discovered these vulnerabilities?

The specific researchers are not named, but Salesforce disclosed them through an official security advisory.

What industries are most at risk?

Enterprises relying on Tableau for analytics, especially in finance, healthcare, and government, are highly vulnerable.

What happens if these flaws are not patched?

Unpatched systems could be exploited for data theft, ransomware deployment, or system compromise.

Can attackers pivot inside the network using these flaws?

Yes, SSRF and RCE can serve as a foothold for lateral movement within an enterprise network.

Do these flaws require authentication to exploit?

Some, like RCE and path traversal, can be exploited with minimal access or improperly secured permissions.

Is multi-factor authentication helpful in this case?

It adds a layer of protection but won't stop flaws like unrestricted file upload or SSRF.

Are these vulnerabilities reported under coordinated disclosure?

Yes, the CVEs were assigned and disclosed in coordination with Salesforce's security team.

Can I test my Tableau Server for these vulnerabilities?

Use vulnerability scanners or manual security assessments. Always test in non-production environments.

Are there indicators of compromise (IoCs) available?

Salesforce has not released specific IoCs; monitoring for unusual API usage and uploads is advised.

Will Salesforce provide future patches?

Yes, but only for supported versions. Upgrade to maintain eligibility for updates.

Does this impact Tableau Desktop or Mobile?

No, only Tableau Server installations are affected.

Is it safe to use Tableau Server after patching?

Yes, once patched to the latest versions, the risk is significantly reduced.

How should IT teams prioritize this patch?

It should be treated as a high-priority emergency patch due to the critical RCE and SSRF risks.

Join Our Upcoming Class!

Tags