Nessus Agent Vulnerability on Windows Allows Arbitrary Code Execution as SYSTEM

Tenable has disclosed a high-severity vulnerability in its Nessus Agent software for Windows that could allow attackers to execute arbitrary code with SYSTEM-level privileges.

The flaw, tracked as CVE-2026-33694, has been fixed in Nessus Agent version 11.1.3, which is now available to users.

The vulnerability is caused by improper link resolution before file access, classified under CWE-59, also known as “Link Following.”

This issue affects Windows systems where attackers with local access can exploit filesystem features called junctions. A junction acts like a shortcut that redirects file operations to another location.

By creating a malicious junction, an attacker can trick the Nessus Agent into deleting arbitrary files on the system.

Since the agent runs in the background with elevated SYSTEM privileges, it performs these actions with the highest level of access in Windows.

This turns a simple file deletion issue into a powerful privilege escalation technique.

Although the vulnerability itself allows file deletion, attackers can carefully choose critical system files to remove.

This can destabilize the system or create conditions that allow arbitrary code execution. In such cases, attackers may run malicious payloads with full SYSTEM privileges, giving them complete control over the affected machine.

Tenable has rated this issue as High severity. It carries a CVSSv3 base score of 8.2 and a temporal score of 7.4, while the CVSSv4 base score is 7.4.

The attack vector is local, meaning the attacker must already have some level of access to the system.

However, the attack complexity is low, and only low-level user privileges are required, making it a realistic risk in post-exploitation scenarios or insider threats. The impact on confidentiality, integrity, and availability is rated High.

The vulnerability affects Nessus Agent version 11.1.2 and earlier. Tenable addressed the issue in version 11.1.3, released on April 23, 2026.

The disclosure followed a structured timeline, with the vulnerability first reported on December 29, 2025, and officially accepted in February 2026. CVE assignment and scoring were completed in March before the final patch release.

Security teams and administrators are strongly advised to upgrade immediately. Systems running outdated versions remain exposed to potential exploitation.

In addition to patching, organizations should monitor for unusual junction creation and review filesystem permissions on endpoints running security tools.

Since Nessus is widely used for vulnerability management, this flaw highlights how security infrastructure itself can become a target.

Prompt patching and proactive monitoring are essential to prevent attackers from leveraging trusted tools for privilege escalation.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Nessus Agent Vulnerability on Windows Allows Arbitrary Code Execution as SYSTEM appeared first on Cyber Security News.