Critical Nessus Agent Flaw Grants SYSTEM Access on Windows

TL;DR: Tenable disclosed CVE‑2026-33694, a high‑severity flaw in Nessus Agent for Windows that allows attackers with local access to run arbitrary code as SYSTEM. The issue is fixed in version 11.1.3 released April 23 2026.

Context: Nessus Agent runs as a background service with SYSTEM privileges to scan endpoints for vulnerabilities. On Windows, the agent resolves file paths before accessing them. If an attacker creates a malicious junction—a filesystem shortcut that redirects operations—the agent can be tricked into deleting or altering arbitrary files. Because the agent runs with SYSTEM rights, those file operations execute at the highest privilege level, turning a simple deletion into a privilege‑escalation vector.

Key Facts: Tenable assigned the flaw CVE‑2026-33694 and rated it High severity with a CVSSv3 base score of 8.2 (temporal 7.4) and a CVSSv4 base score of 7.4. The vulnerability exists in Nessus Agent versions 11.1.2 and earlier; version 11.1.3 patches the improper link‑resolution logic (CWE‑59 Link Following). The attack requires only low‑level user privileges and has low complexity, making it feasible for insider threats or post‑exploitation steps. Impact on confidentiality, integrity, and availability is rated High.

What It Means: Organizations using Nessus Agent for vulnerability management should upgrade immediately to 11.1.3. Until patched, defenders should monitor for unexpected junction creation on endpoints and review permissions on directories where the agent writes logs or temporary files. Detection can focus on unusual file‑system reparse point activity or attempts to delete critical system files by processes running as SYSTEM. Tenable’s advisory recommends applying the patch and enabling audit logging for junction manipulation.

What to watch next: Watch for exploit attempts in the wild and any follow‑up advisories from Tenable or CERT‑CC regarding similar link‑following flaws in other security agents.