A high-severity vulnerability in the Nessus Agent for Windows, tracked as CVE-2026-33694, enables authenticated attackers to exploit a junction-based file-deletion flaw and escalate privileges to full SYSTEM-level code execution. All users running Nessus Agent 11.1.2 or earlier are urged to upgrade to version 11.1.3 immediately.
A dangerous, arbitrary file-deletion vulnerability has been discovered in the Nessus Agent running on Windows systems, formally identified as CVE-2026-33694 under Advisory ID TNS-2026-12.
The flaw is classified under CWE-59: Improper Link Resolution Before File Access (“Link Following”), a vulnerability class commonly known as a “link following” or junction attack.
Nessus Agent Vulnerability
According to the official security advisory, an authenticated attacker on a Windows host can create a filesystem junction a type of symbolic link specific to Windows NTFS that redirects file deletion operations into arbitrary locations on the system.
Because the Nessus Agent service runs under the SYSTEM privilege level, any files deleted via this junction inherit that elevated context. The critical consequence: attackers can leverage this condition to achieve arbitrary code execution with SYSTEM privileges, the highest level of access on a Windows endpoint.
The vulnerability was officially disclosed on April 23, 2026, and confirmed to affect Nessus Agent versions 11.1.2 and earlier.
Junction-based privilege escalation attacks are a well-documented but persistently dangerous class of Windows vulnerabilities. In this case, the attack chain works as follows:
- An authenticated low-privilege local attacker creates a malicious NTFS junction point on the Windows filesystem
- The junction redirects file paths to arbitrary system directories or critical OS files
- When Nessus Agent performs routine file-deletion operations with SYSTEM privilege, it unknowingly follows the junction and deletes the attacker-specified target.
- Selective deletion of key system files (such as DLLs or access control entries) creates the conditions for arbitrary code injection or privilege escalation, ultimately granting SYSTEM-level code execution.
This attack vector is categorized as local (AV:L), meaning the attacker requires an existing foothold on the machine. Still, the high impact across Confidentiality, Integrity, and Availability makes it extremely dangerous in any multi-user or enterprise endpoint environment.
It has been assigned this vulnerability a High risk rating with the following scores:
| Metric | Score / Value |
|---|---|
| CVSSv3 Base Score | 8.2 |
| CVSSv3 Temporal Score | 7.4 |
| CVSSv3 Vector | AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H |
| CVSSv4 Base Score | 7.4 |
| CVSSv4 Vector | AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
| CWE Classification | CWE-59 (Link Following) |
The CVSSv3 base score of 8.2 reflects the Changed scope (S:C), meaning exploitation can impact components beyond the vulnerable Nessus Agent itself, including the underlying Windows OS and other running services.
The vulnerability followed a responsible disclosure process spanning nearly four months:
- December 29, 2025 – Vulnerability report received
- February 18, 2026 – Report formally accepted by the security team
- March 23, 2026 – CVE ID requested and CVSS scoring completed
- April 23, 2026 – Nessus Agent 11.1.3 released with the fix; initial advisory published
This timeline reflects Tenable’s established policy of coordinated disclosure, providing the security research community and affected users with a patched solution before full public exploitation details circulate.
Affected Products & Patch
All deployments of Nessus Agent 11.1.2 and earlier on Windows are confirmed vulnerable. This includes enterprise environments using Nessus Agent for continuous vulnerability assessment, compliance scanning, and endpoint visibility via Tenable Vulnerability Management or Tenable Nessus Manager.
Tenable has released Nessus Agent 11.1.3 as the definitive fix, addressing improper junction handling in the Windows installation. Installation packages are available via the Tenable Downloads Portal at tenable.com/downloads/nessus-agents.
Security teams should prioritize patching endpoints with privileged or internet-facing Nessus deployments first. SecurityWeek reported on April 23, 2026, that this Nessus fix was released alongside a CrowdStrike critical LogScale patch, underscoring an active week of enterprise security remediation efforts.
Impact and Actions
Organizations running Nessus Agents at scale, particularly across large Windows server fleets, SOC endpoints, or PCI/HIPAA-regulated environments, face tangible risk if unpatched. An attacker who has already compromised a low-privilege account can silently weaponize this flaw to achieve full SYSTEM access without triggering standard privilege escalation alerts.
Security teams should take the following immediate steps:
- Audit all Windows endpoints running Nessus Agent and identify versions 11.1.2 or below
- Apply the Nessus Agent 11.1.3 update from the official Tenable Downloads Portal immediately
- Review Windows Event Logs for any anomalous junction creation (look for NTFS reparse point events) on systems running older agent versions
- Enforce least-privilege access controls to limit the blast radius of any local attacker foothold
- Report suspected exploitation and follow your internal incident response procedures
FAQ
Q1: What is CVE-2026-33694?
It is a high-severity arbitrary file-deletion vulnerability (CWE-59) in the Tenable Nessus Agent for Windows that allows attackers to create junctions and delete files with SYSTEM privileges, potentially enabling code execution.
Q2: Which versions of Nessus Agent are affected by this vulnerability?
All Nessus Agent versions up to and including 11.1.2 on Windows are vulnerable; version 11.1.3 contains the official patch.
Q3: How can organizations fix CVE-2026-33694?
Upgrade to Nessus Agent 11.1.3 immediately, available for download from the official Tenable Downloads Portal at tenable.com/downloads/nessus-agents.
Q4: Does this vulnerability require remote access or physical access to exploit?
No, it requires only a local authenticated session with low privileges on the affected Windows host, making it readily exploitable by any compromised endpoint user account.
Site: https://thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
