A flaw in Tenable’s Nessus Agent for Windows could give attackers a direct path to full system compromise.
The vulnerability “… potentially facilitates arbitrary code execution, whereby an attacker may exploit the vulnerability to execute malicious code with elevated SYSTEM privileges,” said Tenable in its advisory.
Inside the Nessus Agent Flaw
Nessus Agents are deployed across enterprise environments to perform continuous vulnerability scanning, often operating with elevated privileges on critical systems.
While elevated access enables deep visibility, it also increases risk. Flaws in privileged services can become powerful entry points, allowing attackers to escalate privileges and gain full system control.
How the Vulnerability Works (CVE-2026-33694)
Tracked as CVE-2026-33694 with a CVSSv3 score of 8.2, the vulnerability affects Nessus Agent installations on Windows systems.
The issue is rooted in a class of weaknesses known as symlink or junction attacks, which is a technique for abusing how the Windows file system handles symbolic links.
On Windows, NTFS junctions can redirect file system operations from one location to another.
If a privileged service interacts with these paths without properly validating them, it can be tricked into performing unintended actions.
In this scenario, an attacker with local access can create a malicious junction in a directory used by the Nessus Agent.
When the agent performs routine file operations — such as deleting temporary or working files — it may unknowingly follow the junction and delete arbitrary files elsewhere on the system.
Impact and Exploitation Risk
This behavior allows attackers to delete arbitrary files with SYSTEM privileges. From there, they can introduce malicious code and turn a limited foothold into full system compromise.
Tenable has released a patch and there are no reports of active exploitation at the time of publication.
Reducing Endpoint Security Risk
Because these agents often run with elevated permissions, a single weakness can have a broad impact across enterprise environments.
Reducing this risk requires timely patching, strong access controls, and continuous monitoring to limit exposure and detect misuse early.
- Patch to the latest version and test updates before deploying to production.
- Maintain a complete inventory of assets running Nessus Agents and prioritize high-value or internet-exposed systems for remediation.
- Enforce least-privilege access with PAM tools and restrict local access to minimize unnecessary SYSTEM-level execution.
- Monitor for suspicious activity using EDR, file integrity monitoring, and alerts for abnormal file deletions, junction abuse, or privilege escalation behavior.
- Harden system and service configurations by validating file path handling, limiting junction/symlink creation, and enforcing strong access controls on critical directories.
- Implement application control and endpoint protections to prevent unauthorized code execution, even if elevated privileges are obtained.
- Test incident response plans and use attack simulation tools with scenarios around endpoint compromise and privilege escalation.
Together, these steps help build resilience by strengthening defenses and limiting the blast radius if a compromise occurs.
When Trusted Tools Create Exposure
This vulnerability highlights a broader challenge in enterprise security: widely trusted security tools can also present risk if not properly secured.
Because Nessus Agents operate with elevated privileges and deep system visibility, weaknesses in their design or implementation can have a significant impact across affected environments.
This is why adopting a zero trust approach can help organizations reduce reliance on implicit trust and limit the impact of compromised systems or applications.