Nessus agent grants SYSTEM access
- Tenable disclosed CVE-2026-33694 on April 23, saying Nessus Agent for Windows could let a local attacker delete files as SYSTEM and reach code execution. - The flaw affects Nessus Agent 11.1.2 and earlier, carries a CVSS 8.2 score, and was fixed in version 11.1.3. - It follows earlier 2026 Windows privilege-escalation fixes in the same product line. (tenable.com)
A Windows endpoint agent is a background program that runs with broad access so it can inspect a machine for security problems. In Tenable’s case, that agent just got a high-severity fix after a flaw that could hand attackers SYSTEM privileges. (tenable.com) (esecurityplanet.com) Tenable disclosed CVE-2026-33694 on April 23, 2026, and said the bug affects Nessus Agent on Windows. The company released Nessus Agent 11.1.3 to fix it the same day. (tenable.com) (docs.tenable.com) The bug sits in how the agent handles a Windows junction, which works like a redirect pointing one folder operation at another place. Tenable said an attacker could create that junction and make the agent delete arbitrary files with SYSTEM privileges. (nvd.nist.gov) (tenable.com) Deleting files does not sound like code execution at first. But Tenable said the arbitrary deletion condition can be turned into malicious code running with elevated SYSTEM privileges, which is the highest routine privilege level on Windows. (tenable.com) (nvd.nist.gov) The scoring reflects that escalation path. eSecurity Planet reported a CVSS version 3 score of 8.2, and the National Vulnerability Database shows a CVSS version 4 base threat score of 7.4 from Tenable as the numbering authority. (esecurityplanet.com) (nvd.nist.gov) The attack is local, not remote, which means an attacker needs some foothold on the machine first. But the bar is still low: the National Vulnerability Database entry shows low required privileges in Tenable’s vector string. (nvd.nist.gov) That matters because Nessus Agent is installed precisely on machines security teams want to monitor continuously. A bug in that trusted software can turn the defender’s own tooling into the step that upgrades a minor compromise into full host control. (esecurityplanet.com) This is also not Tenable’s first Windows privilege-escalation fix this year. The 2026 release notes show version 11.0.3 fixed a tray application issue that let a standard user gain system privileges during installation or uninstallation, and version 11.1.2 fixed an issue where an unprivileged user could stop the Windows agent. (docs.tenable.com) (tenable.com) Tenable said there were no reports of active exploitation at the time eSecurity Planet published its report. The immediate step is simple: move Windows agents to 11.1.3 and verify older builds are gone from endpoint fleets. (esecurityplanet.com) (tenable.com)
