Critical Privilege Escalation Flaw in Tenable’s Nessus Agent for Windows Exposes Systems to Full Takeover
A newly disclosed vulnerability in Tenable’s Nessus Agent for Windows allows attackers to execute malicious code with SYSTEM-level privileges, the highest access level in Windows, posing a severe risk to enterprise security. The flaw, classified as a symlink (junction) attack, enables threat actors with local access to manipulate the agent’s file operations, leading to arbitrary file deletion and, ultimately, full arbitrary code execution.
How the Exploit Works
The vulnerability exploits a privilege escalation weakness in the Nessus Agent service. By creating a malicious Windows junction a symbolic link that redirects file operations an attacker can trick the agent into deleting critical system files. Once the operating environment is corrupted, the attacker can deploy a malicious payload that executes with SYSTEM privileges, granting unrestricted control over the machine. This includes the ability to install rootkits, disable security tools, and persist across reboots.
Impact and Risk
The flaw affects Nessus Agent installations on Windows, particularly in enterprise environments where the agent is deployed for continuous vulnerability scanning. Since Nessus Agents are often installed on high-value servers and workstations, successful exploitation could lead to catastrophic security breaches, including lateral movement within networks and compromise of sensitive systems.
Patch and Mitigation
Tenable has released Nessus Agent version 11.1.3, which addresses the vulnerability. The company urges all users to upgrade immediately, emphasizing that timely patching is critical to reducing exposure. The fix follows responsible disclosure practices, with Tenable maintaining active collaboration with security researchers to ensure rapid vulnerability resolution.
Security teams are advised to prioritize this update, especially in environments where Nessus Agents run on internet-facing or high-value Windows systems.
Source: https://cybersecuritynews.com/nessus-agent-vulnerability-on-windows/
Tenable TPRM report: https://www.rankiteo.com/company/tenableinc
"id": "ten1777263819",
"linkid": "tenableinc",
"type": "Vulnerability",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Enterprises using Nessus Agent '
'for Windows',
'industry': 'Cybersecurity',
'name': 'Tenable',
'type': 'Company'}],
'attack_vector': 'Local Access',
'description': 'A newly disclosed vulnerability in Tenable’s Nessus Agent for '
'Windows allows attackers to execute malicious code with '
'SYSTEM-level privileges, the highest access level in Windows, '
'posing a severe risk to enterprise security. The flaw, '
'classified as a symlink (junction) attack, enables threat '
'actors with local access to manipulate the agent’s file '
'operations, leading to arbitrary file deletion and full '
'arbitrary code execution.',
'impact': {'operational_impact': 'Full arbitrary code execution with SYSTEM '
'privileges, potential lateral movement '
'within networks, compromise of sensitive '
'systems',
'systems_affected': 'Windows systems with Nessus Agent installed'},
'post_incident_analysis': {'corrective_actions': 'Patch released (Nessus '
'Agent version 11.1.3)',
'root_causes': 'Privilege escalation weakness in '
'Nessus Agent service due to '
'improper handling of symlinks '
'(junctions)'},
'recommendations': 'Upgrade to Nessus Agent version 11.1.3 immediately, '
'prioritize patching in high-value Windows systems',
'references': [{'source': 'Tenable Security Advisory'}],
'response': {'remediation_measures': 'Patch to Nessus Agent version 11.1.3'},
'title': 'Critical Privilege Escalation Flaw in Tenable’s Nessus Agent for '
'Windows Exposes Systems to Full Takeover',
'type': 'Privilege Escalation',
'vulnerability_exploited': 'Symlink (junction) attack in Nessus Agent for '
'Windows'}