Nessus Agent flaw on Windows can lead to SYSTEM-level code execution

Tenable has patched a high-severity vulnerability in Nessus Agent for Windows that can allow an authenticated local attacker to delete arbitrary files with SYSTEM privileges. Tenable says this condition can potentially lead to arbitrary code execution with elevated SYSTEM permissions.

The flaw is tracked as CVE-2026-33694 and affects Nessus Agent 11.1.2 and earlier. Tenable fixed it in Nessus Agent 11.1.3, which the company released on April 23, 2026.

For enterprise teams, the issue matters because Nessus Agent often runs on servers, workstations, and other important endpoints used for vulnerability scanning. If attackers already have local authenticated access, they could abuse the agent’s privileged file operations to move from limited access to SYSTEM-level impact.

What Tenable fixed

The vulnerability involves Windows junction abuse. A junction works like a filesystem redirect, allowing one folder path to point to another location.

Tenable says an attacker can create a junction that enables arbitrary file deletion with SYSTEM privileges. Since the Nessus Agent service runs with high permissions, a poorly validated file operation can act on a target chosen by the attacker instead of the intended file.

Tenable classifies the flaw under CWE-59, which covers improper link resolution before file access. This weakness appears when software follows a symbolic link or junction without confirming that the final target remains safe.

At a glance

Item	Details
Product	Tenable Nessus Agent
Platform	Windows
Vulnerability	Arbitrary file deletion through junction abuse
CVE	CVE-2026-33694
Severity	High
Affected versions	Nessus Agent 11.1.2 and earlier
Fixed version	Nessus Agent 11.1.3
Main risk	Potential arbitrary code execution as SYSTEM
Weakness type	CWE-59, improper link resolution before file access
Patch date	April 23, 2026

Why SYSTEM privileges increase the risk

SYSTEM is one of the most powerful privilege levels on Windows. Code running as SYSTEM can modify protected files, change services, disable security controls, install persistent components, and affect other users on the same machine.

In this case, the first step is arbitrary file deletion. That may sound narrower than direct code execution, but privileged file deletion can become dangerous when attackers remove or replace files used by services, installers, scheduled tasks, or security tools.

Tenable’s own advisory says the condition can potentially facilitate arbitrary code execution, allowing malicious code to run with elevated SYSTEM privileges.

What versions are affected

Tenable lists Nessus Agent 11.1.2 and earlier as affected. The company released Nessus Agent 11.1.3 to address the issue and directs users to obtain installation files from the Tenable Downloads Portal.

Tenable’s plugin page for the issue also says Windows hosts running Nessus Agent prior to 11.1.3 are affected. The related Nessus plugin is ID 310144 and checks the product’s self-reported version.

The plugin page also notes that Nessus has not tested exploitation directly for that check and relies on the application’s self-reported version number. That means administrators should confirm installed versions through endpoint management tools where possible.

Risk summary

Risk area	Why it matters
Local privilege escalation	A low-privileged authenticated attacker could abuse a privileged service path
Arbitrary deletion	Attackers may target files outside the intended Nessus Agent workflow
SYSTEM-level impact	Successful abuse can affect core Windows services and security controls
Enterprise exposure	Nessus Agent often runs across many managed endpoints
Detection challenge	Junction abuse can look like a normal filesystem operation unless monitored closely

What administrators should do now

Security teams should update Windows systems running Nessus Agent to version 11.1.3 or later. Tenable strongly encourages users to apply relevant patches in a timely manner, and the official solution for this advisory is to install Nessus Agent 11.1.3.

Admins should prioritize high-value Windows servers, administrative workstations, security tooling hosts, and systems where local user access is common. Environments that allow many users to log into shared servers should treat the update as more urgent.

Teams should also review logs for suspicious junction creation, unusual file deletion activity, and unexpected changes around Nessus Agent directories. The update fixes the product flaw, but a quick review can help spot signs of attempted abuse before patching finished.

Practical mitigation checklist

• Upgrade Nessus Agent for Windows to version 11.1.3 or later.
• Confirm all Windows endpoints report the fixed agent version.
• Prioritize servers, shared systems, and privileged workstations.
• Restrict local interactive access where users do not need it.
• Monitor for unusual junction or symbolic link creation.
• Review suspicious file deletion events involving privileged services.
• Check endpoint protection logs for Nessus Agent directory activity.
• Use Tenable plugin ID 310144 to identify vulnerable agent versions.
• Validate version data with endpoint management tools, not only scanner output.
• Document patch completion for audit and incident response teams.

Why this patch should not wait

This vulnerability does not appear to be a remote unauthenticated bug. The attacker needs authenticated local access, and Tenable’s CVSS vector lists local attack access and low privileges.

Even so, local privilege escalation flaws remain important in real attacks. Intruders often first gain low-level access through phishing, stolen credentials, exposed remote access, or malware. A SYSTEM-level escalation bug can then help them disable defenses and deepen control.

Nessus Agent also has a special position inside many networks because organizations deploy it widely for security visibility. Any flaw in a broadly installed security agent deserves fast patching, especially when the impact reaches SYSTEM privileges.

FAQ