Tenable Nessus Agent Vulnerability (CVE‑2026‑33694): Local Junction‑Point Privilege Escalation
In a significant security update, Tenable has disclosed a high-severity vulnerability within its Nessus Agent software for Windows environments. While the agent is a vital tool for vulnerability management, this specific flaw—tracked as CVE-2026-33694—could allow a local attacker to pivot from low-privileged access to full SYSTEM-level code execution.
The vulnerability is rooted in a classic filesystem logic error classified under CWE-59 (Improper Link Resolution). Essentially, the Nessus Agent fails to properly validate file paths before performing file operations, creating a race condition or logic gap that can be exploited via filesystem manipulation.
The Mechanics of the Exploit: Junction Point Manipulation
The attack leverages a Windows-specific filesystem feature known as a junction point—a type of symbolic link that redirects one directory to another. Because the Nessus Agent operates as a high-privilege background service to perform its scanning duties, it possesses the authority to modify or delete protected system files.
A local threat actor can craft a malicious junction that tricks the agent into interacting with a target file instead of the intended legitimate file. By manipulating the agent into deleting critical system components or configuration files, an attacker can destabilize the OS integrity. More dangerously, this file-deletion capability serves as a precursor to Privilege Escalation; by carefully selecting which files are removed or replaced, an attacker can eventually execute arbitrary malicious payloads with the highest level of Windows privileges.
Risk Assessment and Scoring
Tenable has assigned this vulnerability a High severity rating, reflecting its potential to compromise the entire security posture of a host. The technical breakdown of the risk is as follows:
- CVSSv3 Base Score: 8.2 (High)
- CVSSv4 Base Score: 7.4
- Attack Vector: Local (Requires existing presence on the machine)
- Attack Complexity: Low (The technique is well-documented and easily automated)
- Privileges Required: Low (A standard user can initiate the exploit)
- Impact: High (Complete loss of Confidentiality, Integrity, and Availability)
Vulnerability Summary & Timeline
The lifecycle of this disclosure highlights the typical cadence of responsible vulnerability management. Following the initial report in late 2025, Tenable worked through the validation and patching phases to ensure a stable fix.
| Identifier | Details |
|---|---|
| CVE ID | CVE-2026-33694 |
| Tenable Advisory ID | TNS-2026-12 |
| Affected Versions | Nessus Agent 11.1.2 and earlier |
| Patched Version | Nessus Agent 11.1.3 |
Remediation and Defensive Strategy
The resolution is straightforward but requires immediate attention from DevOps and Security Operations (SecOps) teams. Tenable has officially addressed the issue in version 11.1.3.
Immediate Action Items:
- Update Nessus Agents: Deploy version 11.1.3 via your central management console or the Tenable Downloads Portal immediately.
- Audit Permissions: Review filesystem permissions on endpoints to ensure that low-privileged users cannot create junction points in sensitive directories used by security services.
- Enhanced Monitoring: Monitor EDR (Endpoint Detection and Response) logs for unusual filesystem activity, specifically the rapid creation of directory junctions in temporary or application-specific folders.
By prioritizing this patch, organizations ensure that their primary tool for discovering vulnerabilities does not inadvertently become the very vector used to compromise their infrastructure.