CVE-2025-36640
📋 TL;DR
A privilege escalation vulnerability exists in the Nessus Agent Tray App installation/uninstallation process on Windows. Attackers with local access can exploit this to gain SYSTEM-level privileges. This affects Windows systems running vulnerable versions of the Nessus Agent.
💻 Affected Systems
- Tenable Nessus Agent
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker with initial access to a standard user account could gain full SYSTEM privileges, enabling complete system compromise, credential theft, lateral movement, and persistence establishment.
Likely Case
Malicious insiders or attackers who have already compromised a user account could escalate privileges to install malware, disable security controls, or access sensitive data.
If Mitigated
With proper access controls, least privilege principles, and timely patching, the impact is limited to isolated systems with minimal data exposure.
🎯 Exploit Status
Exploitation requires local access to the Windows system. The vulnerability is in the installation/uninstallation process, suggesting file permission or DLL hijacking issues.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Tenable advisory TNS-2026-01 for specific fixed versions
Vendor Advisory: https://www.tenable.com/security/tns-2026-01
Restart Required: Yes
Instructions:
1. Review Tenable advisory TNS-2026-01. 2. Download and install the latest Nessus Agent version from Tenable. 3. Restart affected Windows systems. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict Local Access
windowsLimit physical and remote local access to systems running Nessus Agent to authorized personnel only.
Monitor Installation Activities
windowsImplement monitoring for Nessus Agent installation/uninstallation processes and file modifications in its directories.
🧯 If You Can't Patch
- Implement strict access controls to prevent unauthorized local access to affected systems.
- Monitor for suspicious activities related to Nessus Agent processes and file system changes.
🔍 How to Verify
Check if Vulnerable:
Check the Nessus Agent version on Windows systems and compare against the vulnerable versions listed in Tenable advisory TNS-2026-01.Check Version:
On Windows, check the version in the Nessus Agent tray app or installed programs list, or run: wmic product where name="Nessus Agent" get versionVerify Fix Applied:
Verify the installed Nessus Agent version matches or exceeds the patched version specified in the Tenable advisory.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing unauthorized Nessus Agent installation/uninstallation activities
- Security logs indicating privilege escalation attempts
Network Indicators:
- Unusual network traffic from systems after Nessus Agent modifications
SIEM Query:
Example: EventID=4688 AND ProcessName LIKE '%nessus%' AND NewProcessName='cmd.exe' OR ParentProcessName LIKE '%nessus%'