CVE-2025-24916
📋 TL;DR
Tenable Network Monitor versions before 6.5.1 have insecure directory permissions when installed to non-default locations on Windows, allowing local users to potentially escalate privileges. This affects organizations using Tenable Network Monitor on Windows systems with custom installation paths.
💻 Affected Systems
- Tenable Network Monitor
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains SYSTEM/administrator privileges on the Windows host, enabling complete system compromise, data theft, and lateral movement.
Likely Case
Local authenticated user exploits weak directory permissions to elevate privileges to administrator level on the affected system.
If Mitigated
With proper directory permissions or default installation location, the vulnerability cannot be exploited.
🎯 Exploit Status
Requires local access to the Windows system and knowledge of the non-default installation path.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.5.1
Vendor Advisory: https://www.tenable.com/security/tns-2025-10
Restart Required: Yes
Instructions:
1. Download Tenable Network Monitor 6.5.1 from Tenable support portal. 2. Run the installer. 3. Restart the system after installation completes.
🔧 Temporary Workarounds
Secure directory permissions manually
windowsManually set secure permissions on the non-default installation directory to prevent unauthorized access.
icacls "C:\Path\To\NonDefault\Install" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" "Users:(OI)(CI)RX"
Reinstall to default location
windowsUninstall from non-default location and reinstall to default Tenable Network Monitor directory.
🧯 If You Can't Patch
- Audit all Tenable Network Monitor installations for non-default paths and secure directory permissions
- Restrict local access to systems running vulnerable versions through user privilege management
🔍 How to Verify
Check if Vulnerable:
Check Tenable Network Monitor version in GUI or registry at HKEY_LOCAL_MACHINE\SOFTWARE\Tenable\Network Monitor\Version. If version < 6.5.1 AND installed to non-default location, system is vulnerable.Check Version:
reg query "HKLM\SOFTWARE\Tenable\Network Monitor" /v VersionVerify Fix Applied:
Verify version is 6.5.1 or higher in GUI or registry, and check directory permissions on installation path are secure.📡 Detection & Monitoring
Log Indicators:
- Windows Security logs showing privilege escalation attempts
- Tenable Network Monitor logs showing unusual access patterns
Network Indicators:
- No network indicators - local exploit only
SIEM Query:
EventID=4672 AND ProcessName LIKE '%tenable%' OR EventID=4688 AND NewProcessName LIKE '%tenable%' AND SubjectUserName != SYSTEM