Tenable has disclosed a high-severity security vulnerability in its Nessus Agent software for Windows that could allow attackers to execute malicious code with full SYSTEM-level privileges.
The flaw, tracked as CVE-2026-33694, has been patched in the newly released Nessus Agent version 11.1.3.
The vulnerability stems from improper link resolution before file access, classified under CWE-59 (“Link Following”).
On Windows systems, an attacker with local access can create a junction, a type of filesystem shortcut, that tricks the Nessus Agent into deleting arbitrary files using SYSTEM privileges.
Because Nessus Agent runs with elevated permissions in the background, this capability to delete files becomes a powerful stepping stone.
By carefully manipulating which files are deleted, a threat actor can destabilize system integrity and ultimately escalate the exploit to arbitrary code execution, running malicious payloads with the highest possible Windows privilege level.
Tenable rated this vulnerability as High severity, with a CVSSv3 base score of 8.2 and a temporal score of 7.4. The CVSSv4 base score stands at 7.4.
The attack vector is local, meaning an attacker must already have some level of access to the target machine.
However, the attack complexity is low, and the exploit requires only low-level user privileges to initiate, making it a realistic post-exploitation or insider threat scenario.
The confidentiality, integrity, and availability impact is all rated High under both scoring versions.
- CVE ID: CVE-2026-33694
- Tenable Advisory ID: TNS-2026-12
- CVSSv3 Base Score: 8.2
- Affected Versions: Nessus Agent 11.1.2 and earlier
The responsible disclosure process followed a structured timeline. A researcher first reported the issue to Tenable on December 29, 2025.
Tenable formally accepted the report on February 18, 2026, requested a CVE ID and completed CVSS scoring on March 23, 2026, and released the patched version on April 23, 2026, roughly four months after the initial report.
Tenable has addressed the issue in Nessus Agent 11.1.3, available now through the Tenable Downloads Portal.
Security teams and system administrators running any version of Nessus Agent 11.1.2 or earlier on Windows should treat this update as urgent.
Given that Windows junction-based attacks are a well-understood privilege-escalation technique, defenders should also audit filesystem permissions and monitor for unusual junction-creation activity on endpoints running security tooling.
Organizations relying on Nessus for vulnerability scanning should prioritize this patch immediately to prevent their own security infrastructure from becoming an attack surface.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
