What happened
Tenable has disclosed a privilege escalation vulnerability in Nessus Agent for Windows that allows a local attacker to execute arbitrary code with SYSTEM-level privileges. A patch is available in Nessus Agent version 11.1.3, released through the Tenable Downloads Portal.
The flaw exploits Windows NTFS junction abuse, a technique in which a filesystem symbolic link redirects file system operations from one directory to another. When the Nessus Agent service performs a file deletion operation without properly validating the target path, an attacker with local access can plant a malicious junction in a location the service interacts with, redirecting the deletion to a critical system file or directory. That controlled corruption of the operating environment then creates the conditions for placing a malicious payload that executes under the SYSTEM context. SYSTEM is the highest privilege level in Windows, exceeding standard administrator accounts, and code running at that level can modify any file, install rootkits, disable security tools, and establish persistence across reboots.
Tenable has not published specific details about active exploitation. The company has addressed the vulnerability in version 11.1.3 and is urging all users to upgrade immediately.
Who is affected
Organizations running Nessus Agent on Windows endpoints are directly in scope. Given that Nessus Agents are commonly deployed across enterprise servers and workstations for continuous vulnerability scanning, the attack surface spans some of the most sensitive systems in a typical environment.
Why CISOs should care
A local privilege escalation vulnerability in a security tool creates a specific category of risk worth examining directly. Nessus Agents run with elevated privileges by design, because vulnerability scanning requires deep system access. That same elevated access is what makes this flaw dangerous. An attacker who has gained limited local access to a system running a Nessus Agent can use this vulnerability to escalate immediately to SYSTEM, bypassing the normal privilege boundary that would otherwise limit their impact.
Security tools are high-value targets for exactly this reason, and this vulnerability is a reminder that the attack surface of your security stack deserves the same patch urgency as the systems it protects.
3 practical actions
- Upgrade all Nessus Agent installations on Windows to version 11.1.3 immediately: Treat this as a priority deployment, particularly on servers, domain-joined workstations, and any system where a local privilege escalation to SYSTEM would have significant downstream consequences.
- Prioritize patching on high-value and internet-adjacent Windows systems: Systems where Nessus Agents are installed alongside other sensitive services or where initial access is more plausible face compounded risk from this vulnerability. Rank your patching queue accordingly.
- Audit local access controls on systems running security tooling: This vulnerability requires local access to exploit. Review which accounts and processes have local access to systems running Nessus Agents and apply least-privilege principles to reduce the population of potential attackers who could reach the vulnerable service.
Also in the news today:
- China-Linked APT GopherWhisper Abuses Legitimate Services in Government Attacks
- Surveillance Vendors Exploiting Telecom Infrastructure to Track Targets’ Locations
- American Utility Firm Itron Discloses Breach of Internal IT Network
- Litecoin Zero-Day Vulnerability Exploited in DoS Attack, Disrupts Major Mining Pools
- CISA Warns of Multiple SimpleHelp Vulnerabilities Exploited in Attacks
- 153,000 Electricity and Gas Contracts Exposed in Breach Linked to Iberdrola Partner
- Russian-Linked Campaign Compromises Signal Accounts of Senior German Officials