CVE-2025-36631 – In Tenable Agent versions before 10.8.5 on Wind... (How to Fix)

Q: What is the severity of CVE-2025-36631?

CVE-2025-36631 has a CVSS score of 8.4 (HIGH). In Tenable Agent versions before 10.8.5 on Windows, a non-administrative user can overwrite arbitrary local system files with log content using SYSTEM privileges. This allows local privilege escalation and system file manipulation. Only Windows systems running vulnerable Tenable Agent versions are affected.

📋 TL;DR

In Tenable Agent versions before 10.8.5 on Windows, a non-administrative user can overwrite arbitrary local system files with log content using SYSTEM privileges. This allows local privilege escalation and system file manipulation. Only Windows systems running vulnerable Tenable Agent versions are affected.

💻 Affected Systems

Products:

Tenable Agent

Versions: Versions prior to 10.8.5

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Windows installations of Tenable Agent. Linux and other platforms are not vulnerable.

📦 What is this software?

Nessus Agent by Tenable

View all CVEs affecting Nessus Agent →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via SYSTEM privilege escalation, allowing attackers to overwrite critical system files, install persistent malware, or disable security controls.

🟠

Likely Case

Local privilege escalation leading to unauthorized administrative access, data theft, or lateral movement within the network.

🟢

If Mitigated

Limited impact if proper access controls and monitoring are in place, though the vulnerability still presents a significant local attack vector.

🌐 Internet-Facing: LOW

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local user access but no administrative privileges. The vulnerability is relatively straightforward to exploit once identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.8.5

Vendor Advisory: https://www.tenable.com/security/tns-2025-11

Restart Required: Yes

Instructions:

1. Download Tenable Agent version 10.8.5 or later from the Tenable portal. 2. Run the installer with administrative privileges. 3. Restart the system to complete the installation.

🔧 Temporary Workarounds

Restrict Local User Access

windows

Limit non-administrative user access to systems running Tenable Agent to reduce attack surface.

🧯 If You Can't Patch

Implement strict access controls to limit which users can log into systems running Tenable Agent.
Monitor for unusual file modification activities, particularly in system directories, and implement file integrity monitoring.

🔍 How to Verify

Check if Vulnerable:

Check Tenable Agent version via Control Panel > Programs and Features or using command: 'sc query TenableAgent' and verify version is below 10.8.5.

Check Version:

sc query TenableAgent | findstr /i "display_name"

Verify Fix Applied:

Confirm Tenable Agent version is 10.8.5 or higher using the same methods as checking vulnerability.

📡 Detection & Monitoring

Log Indicators:

Unusual file modification events in Windows Event Logs (Security/System), particularly in system directories by non-administrative users.
Tenable Agent service restart or unexpected behavior logs.

Network Indicators:

No specific network indicators as this is a local vulnerability.

SIEM Query:

EventID=4663 OR EventID=4656 AND ObjectName LIKE '%\system32\%' AND SubjectUserName NOT IN (admin_users_list)

📊 Metadata

CVE ID: CVE-2025-36631

CVSS v3 Score: 8.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H

CWE: CWE-269

EPSS Score: 0.02% exploit probability (4.5th percentile)

Published: June 13, 2025

Last Updated: October 23, 2025

🔗 References

https://www.tenable.com/security/tns-2025-11 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-36631, you might also want to check these: