ThreatLevelBeta
Planned Fix

CVE-2026-33694

Local Privilege Escalation in Tenable Nessus
Loading...

Summary

Tenable Nessus and Nessus Agent on Windows contain a local vulnerability in the file-handling path used by the service. A low-privileged authenticated user can create a junction that is followed by a SYSTEM-level file operation, which can delete arbitrary files and be chained into SYSTEM code execution. Tenable rates user interaction as required, and this is not a network attack.

Why Planned Fix?

3/6
Authentication required
Internal deployment
User interaction unknown (assumed none)
Exploitable in default configuration
No active exploitation or PoC
High impact vulnerability

Exploitation Details

Type
LPE (Local Privilege Escalation)
Is exploitable with default configuration?
Yes
Is authentication needed?
Yes
PoC / Exploit
No
Impact

Execute arbitrary code as SYSTEM on the Windows host.

RCE (Remote Code Execution)
Exploitation Requirements
  • Authentication required
Exploitation Process

A local authenticated user on an affected Windows host creates a crafted NTFS junction pointing a writable path at a protected target. When Nessus or Nessus Agent later performs its SYSTEM-level file operation or cleanup, it follows the junction and removes or manipulates files in the unintended location. The attacker can then leverage the resulting file state change to execute attacker-controlled code with SYSTEM privileges.

Detection Resources
Manual Detection
0
Script Detection
0
Scanner Detection
Tenable Nessus
1

Affected Software

Vendor:Tenable
ProductAffected Versions
Nessus10.11.3 and earlier
Nessus Agent11.1.2 and earlier
Description

Tenable Nessus is a vulnerability scanner used to assess hosts and networks for security weaknesses. Nessus Agent is its Windows endpoint agent for collecting local assessment data from managed machines.

Deployment:Typically internal
|
Protocol:Local
|
Ports:
Affected ComponentWindows junction-handling file deletion path in the Nessus and Nessus Agent services.

Windows junction-handling file deletion path in the Nessus and Nessus Agent services.

Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Medium
Remediation
Workaround

Not available

Patch

Not available

Update

Upgrade Nessus to 10.11.4 or 10.12.0, and Nessus Agent to 11.1.3 or later.

www.tenable.com
Threat Intelligence
EPSS Score0.0%

Probability of exploitation in the next 30 days

EPSS Percentile3%

Worse than 3% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Not Listed
Active Exploitation
No Evidence
Threat Actors

No known threat actors

Detection Rules2
Other
Alert on NTFS junction/reparse point creation inside Nessus or Nessus Agent paths by a low-privileged user
Other
Alert when a SYSTEM Tenable process deletes or overwrites files after junction creation in the same directory tree

NVD Data

Published: Loading...Modified: Loading...

Description Summary

This vulnerability allows an attacker to create a junction, enabling the deletion of arbitrary files with SYSTEM privileges. As a result, this condition potentially facilitates arbitrary code execution, whereby an attacker may exploit the vulnerability to execute malicious code with elevated SYSTEM privileges.

CVSS Base Score

CWE:CWE-59 Link Following
|
NVD:CVE-2026-33694
|
Version From:
|
Version Upto:

Sources

5
SourceArticle
www.tenable.com[R1] Nessus Agent Version 11.1.3 Fixes Arbitrary File Deletion
www.tenable.com[R1] Nessus Versions 10.11.4 and 10.12.0 Fixes Arbitrary File Deletion
www.tenable.comCVE-2026-33694
www.tenable.comTenable Nessus Agent < 11.1.3 Arbitrary File Deletion (TNS-2026-12)
www.cert.ssi.gouv.frVulnérabilité dans les produits Tenable

Priority History

Planned FixLoading...

Initial analysis