Full Report
Tenable security advisory (AV26-387)
Analysis Summary
# Vulnerability: Tenable Nessus and Nessus Agent Arbitrary File Deletion
## CVE Details
- **CVE ID:** CVE-2026-XXXX (Specific CVE ID not listed in the summary text, though referenced via Tenable TNS-2026-12/13)
- **CVSS Score:** 7.1 (High) - *Estimated based on standard Tenable ratings for local arbitrary file deletion*
- **CWE:** CWE-59 (Improper Link Resolution Before File Action)
## Affected Systems
- **Products:** Nessus Agent, Nessus (Scanner)
- **Versions:**
- Nessus Agent: All versions prior to 11.1.3
- Nessus: Versions prior to 10.11.4 and versions prior to 10.12.0
- **Configurations:** Systems where the Nessus service or agent is running with elevated privileges (typically root or SYSTEM).
## Vulnerability Description
A vulnerability exists in Tenable Nessus and Nessus Agent where an authenticated, low-privileged local attacker could exploit a race condition or improper handling of symbolic links (symlinks). By creating a specially crafted link to a sensitive system file, an attacker can trick the Nessus process—which operates with high privileges—into deleting that file. This is commonly referred to as an "Arbitrary File Deletion" flaw.
## Exploitation
- **Status:** Not exploited (No reports of active exploitation in the wild at the time of advisory)
- **Complexity:** Low to Medium (Requires local access and timing/symlink manipulation)
- **Attack Vector:** Local
## Impact
- **Confidentiality:** None
- **Integrity:** Low (Can lead to the deletion of critical configuration files)
- **Availability:** High (Deleting essential system or application files can lead to a Permanent Denial of Service (PDoS) of the security tool or the OS itself)
## Remediation
### Patches
Tenable has released the following versions to address these flaws:
- **Nessus Agent:** Update to version **11.1.3** or later.
- **Nessus:** Update to version **10.11.4**, **10.12.0**, or later.
### Workarounds
- **Strict Access Control:** Limit local interactive login access to the host where Nessus agents/scanners are installed.
- **Principle of Least Privilege:** Ensure only authorized administrators have the permissions required to modify directories used by the Nessus service.
## Detection
- **Indicators of Compromise:** Unusual deletion of system files or Nessus configuration files (`.vdb`, `.db`, or `.conf` files) not associated with standard update cycles.
- **Detection Methods:** Monitor system logs for unauthorized symlink creation in Tenable-specific directories (e.g., `/opt/nessus_agent/var/nessus/` or `C:\ProgramData\Tenable\Nessus\`).
## References
- [R1] Nessus Agent Version 11.1.3 Fixes Arbitrary File Deletion: hxxps[://]www[.]tenable[.]com/security/tns-2026-12
- [R2] Nessus Versions 10.11.4 and 10.12.0 Fixes Arbitrary File Deletion: hxxps[://]www[.]tenable[.]com/security/tns-2026-13
- Tenable Product Security Advisories: hxxps[://]www[.]tenable[.]com/security