Full Report
Tenable security advisory (AV26-149)
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in Tenable Security Center (Including Critical Updates)
## CVE Details
*Note: The primary advisory (TNS-2026-07) addresses multiple vulnerabilities collected under a single maintenance release.*
- **CVE ID:** CVE-2025-0676 (Primary Critical), CVE-2026-21822, CVE-2026-21823
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-78 (OS Command Injection), CWE-79 (Cross-Site Scripting)
## Affected Systems
- **Products:** Tenable Security Center
- **Versions:**
- Version 6.7.x (specifically prior to 6.7.2 with combined patches)
- All versions prior to 6.8.0
- **Configurations:** Systems running the web management interface and those with plugin update capabilities enabled.
## Vulnerability Description
The primary critical flaw involves an OS command injection vulnerability within the Security Center management interface. An unauthenticated remote attacker could send a specially crafted request to the server, allowing for the execution of arbitrary commands at the root or administrative level. Additionally, the update addresses secondary vulnerabilities related to improper input validation that could lead to stored cross-site scripting (XSS) within the dashboard components.
## Exploitation
- **Status:** Not currently observed in the wild (as of advisory date); PoC is internal to Tenable but high risk.
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Total compromise of system data)
- **Integrity:** High (Ability to modify security policies and scan results)
- **Availability:** High (Potential for complete system takeover or shutdown)
## Remediation
### Patches
Tenable recommends upgrading to the latest stable release:
- **Tenable Security Center 6.8.0**
- For users remaining on 6.7.x: Apply **Patch SC-202602.1** AND **Patch SC-202602.2**.
### Workarounds
- There are no direct functional workarounds that maintain full product utility.
- Restrict access to the Security Center management interface (Port 443/TCP) to trusted internal IP addresses only via firewall/ACLs.
## Detection
- **Indicators of compromise:** Unusual administrative logins, unexpected cron job creations, or outbound network connections to unknown IPs from the Security Center host.
- **Detection methods and tools:** Audit syslogs for shell execution commands originating from the web server user (e.g., `tns`, `apache`, or `nginx`).
## References
- hxxps[://]www[.]tenable[.]com/security/tns-2026-07
- hxxps[://]www[.]tenable[.]com/security
- hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/tenable-security-advisory-av26-149