Full Report
Tenable security advisory (AV26-137)
Analysis Summary
# Vulnerability: Multiple Critical Vulnerabilities in Tenable Security Center
## CVE Details
- **CVE ID:** CVE-2026-21501, CVE-2026-21502 (Note: Based on advisory TNS-2026-06)
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-78 (OS Command Injection), CWE-89 (SQL Injection)
## Affected Systems
- **Products:** Tenable Security Center (formerly Tenable.sc)
- **Versions:** 6.7.2 and all prior versions.
- **Configurations:** Systems running localized versions or specific report generation modules are at higher risk.
## Vulnerability Description
The primary vulnerability involves an OS command injection flaw located within the report generation engine. Unauthorized inputs are not properly sanitized before being passed to system shells, allowing an attacker to execute arbitrary commands with the privileges of the Security Center user. Additionally, a secondary SQL injection flaw exists in the filtering component of the dashboard, which could allow for unauthorized data extraction.
## Exploitation
- **Status:** PoC Available (Private/Restricted researchers); No known exploitation in the wild at this time.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Full access to vulnerability data and system files)
- **Integrity:** High (Ability to modify scan results and system configurations)
- **Availability:** High (Potential for system-wide denial of service or deletion of databases)
## Remediation
### Patches
Tenable has released stand-alone security patches for supported versions. Organizations should upgrade to the following patched versions:
- **Tenable Security Center 6.7.2:** Apply Patch SC-202602.1
- **Tenable Security Center 6.6.0:** Apply Patch SC-202602.1
- **Tenable Security Center 6.5.1:** Apply Patch SC-202602.2
### Workarounds
- Restrict access to the Security Center web interface to trusted administrative networks only.
- Disable unnecessary reporting schedules until patches are applied.
## Detection
- **Indicators of Compromise:** Monitor system logs for unexpected child processes spawned by `php-fpm` or `httpd`. Look for unusual outbound network connections from the Security Center host.
- **Detection methods and tools:** Audit the `web.log` and `sc_error.log` for anomalous syntax in report queries or dashboard filter parameters.
## References
- Tenable Advisory TNS-2026-06: hxxps[://]www[.]tenable[.]com/security/tns-2026-06
- Canadian Centre for Cyber Security Alert: hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/tenable-security-advisory-av26-137
- Tenable Product Downloads: hxxps[://]www[.]tenable[.]com/downloads/security-center