Nessus Windows Vulnerabilities Allow Overwrite of Arbitrary Local System Files

A newly disclosed security advisory from Tenable reveals serious vulnerabilities in the Nessus vulnerability scanner that could enable attackers to compromise Windows systems through privilege escalation attacks. 

The security flaws, affecting all Nessus versions prior to 10.8.5, include a critical Windows-specific vulnerability (CVE-2025-36630) that allows unauthorized file overwrites at SYSTEM privilege level, alongside two additional vulnerabilities in third-party components libxml2 and libxslt.

Summary
1. CVE-2025-36630 allows privilege escalation to SYSTEM level (CVSSv3: 8.4).
2. libxml2 and libxslt components upgraded to fix CVE-2025-6021 and CVE-2025-24855.
3. Three vulnerabilities with scores 6.5-8.4 affect Nessus 10.8.4 and earlier.
4. Upgrade to Nessus 10.8.5/10.9.0 immediately via Tenable Downloads Portal.

With CVSSv3 scores ranging from 6.5 to 8.4, these vulnerabilities represent a significant threat to organizations relying on Nessus for security assessments.

Windows Privilege Escalation Vulnerability 

The most severe vulnerability, designated CVE-2025-36630, affects Nessus installations on Windows systems prior to version 10.8.5. 

This critical flaw enables non-administrative users to overwrite arbitrary local system files using log content with SYSTEM-level privileges, effectively allowing privilege escalation attacks. 

The vulnerability carries a CVSSv3 base score of 8.4, categorizing it as high severity with significant potential impact.

The attack vector is characterized as local access with low complexity (AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H), indicating that an attacker requires low-level privileges but no user interaction to exploit the flaw. 

The scope is marked as “Changed,” meaning the vulnerability can affect resources beyond its original security context. 

Credit for discovering this critical vulnerability goes to security researcher Rishad Sheikh, who reported the issue to Tenable on May 10, 2025.

Third-Party Component Updates

Beyond the Windows-specific vulnerability, Tenable has addressed security flaws in underlying third-party software components that provide core functionality to the Nessus platform. 

The company has upgraded libxml2 to version 2.13.8 and libxslt to version 1.1.43 to remediate identified vulnerabilities CVE-2025-6021 and CVE-2025-24855.

CVE-2025-6021 carries a CVSSv3 base score of 6.5, with an attack vector requiring network access and low-privilege credentials (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). 

Meanwhile, CVE-2025-24855 presents a base score of 7.8, requiring local access with high attack complexity but no user privileges (AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H). 

Notably, the fix for CVE-2025-6021 has been specifically backported into the libxml2 version 2.13.8 implementation within Nessus 10.8.5.

Mitigations

Organizations running affected Nessus versions should prioritize immediate updates to version 10.8.5 or 10.9.0, available through the Tenable Downloads Portal. 

The vulnerability disclosure timeline reveals efficient handling, with Tenable confirming the report within 18 days and releasing patches approximately two months after initial disclosure.

System administrators should verify their current Nessus installations and implement the security updates during planned maintenance windows. 

Given the high-severity rating and potential for privilege escalation, organizations should treat these updates as critical security patches requiring expedited deployment across all Windows-based Nessus installations.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now