Nessus Agent Windows Flaw Allows SYSTEM Code Execution

A newly disclosed security vulnerability has emerged in Tenable’s Nessus Agent for Windows. The flaw could allow attackers to execute malicious code with SYSTEM privileges—the highest level of system access. This development raises serious concerns for enterprise security teams, who widely deploy the vulnerability assessment platform.

The flaw enables a threat actor to create a Windows junction, a type of filesystem symbolic link that can be leveraged to delete arbitrary files with SYSTEM-level privileges.

Once file deletion at that privilege tier is achieved, the condition can cascade into a full arbitrary code execution scenario, effectively granting an attacker complete control over the affected machine.

Nessus Agent Vulnerability on Windows

The vulnerability exploits a class of privilege escalation weakness commonly known as a “symlink attack” or junction abuse. On Windows systems, NTFS junctions redirect file system operations from one directory to another.

When a privileged process such as the Nessus Agent service follows a junction during a file operation without proper validation, it can be manipulated to act on unintended targets.

In this case, an attacker with local access can plant a malicious junction in a location the Nessus Agent service interacts with.

By redirecting the agent’s deletion routine to a critical system file or directory, the attacker can corrupt the operating environment in a controlled manner and subsequently place a malicious payload to be executed under the SYSTEM context.

This technique is particularly dangerous because SYSTEM is the highest privilege level in Windows, surpassing even standard administrator accounts.

Code running as SYSTEM can modify any file, install rootkits, disable security tools, and persist across reboots without restriction.

The vulnerability specifically affects Nessus Agent installations running on Windows. Organizations deploying Nessus Agents across enterprise endpoints for continuous vulnerability scanning are directly in the risk window.

Given that Nessus Agents are often installed on sensitive servers and workstations, successful exploitation could have catastrophic downstream consequences for an organization’s security posture.

Patch Available

Tenable has addressed the vulnerability in Nessus Agent version 11.1.3, which is now available through the Tenable Downloads Portal. The company strongly urges all users to upgrade immediately, emphasizing that timely patch application is critical to reducing exposure.

Tenable reiterated its commitment to responsible disclosure, stating that it maintains active communication with security researchers and prioritizes rapid resolution of product vulnerabilities.

Security teams are also encouraged to report any newly discovered vulnerabilities directly to Tenable to facilitate coordinated patching.

Security administrators should treat this update as a priority deployment, particularly in environments where Nessus Agents are installed on high-value or internet-adjacent Windows systems.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.