High

A newly disclosed vulnerability in Tenable’s Nessus Agent for Windows has raised significant security concerns due to its potential to enable attackers to gain SYSTEM-level privileges. The issue stems from improper handling of Windows NTFS junctions (a type of symbolic link). If exploited, a local attacker can manipulate how the Nessus Agent processes file operations, causing it to interact with unintended or sensitive system paths.

The core of the vulnerability lies in a “junction abuse” or symlink attack scenario. An attacker with local access can create a malicious directory junction that redirects the agent’s file deletion or processing actions. Because the Nessus Agent service runs with elevated privileges, it may unknowingly follow this redirection and perform operations on critical system files. This can result in arbitrary file deletion and system corruption under SYSTEM privileges.

Once arbitrary file deletion is achieved at the SYSTEM level, the attack can escalate further into full code execution. This means an attacker could potentially place and execute malicious payloads that inherit SYSTEM privileges, giving them complete control over the compromised machine. At this level, they can disable security tools, install persistent malware, and maintain long-term unauthorized access without detection.

The vulnerability impacts Windows-based deployments of Nessus Agent, commonly used in enterprise environments for continuous vulnerability scanning. Because these agents are often installed on high-value servers and endpoints, the risk is considered severe. Tenable has released a fix in Nessus Agent version 11.1.3 and strongly recommends immediate patching. Organizations are advised to prioritize updates to reduce exposure and prevent potential exploitation in production environments.