Skip to main content

CVE-2022-28291: CWE-522 in Nessus Professional

Medium
VulnerabilityCVE-2022-28291cvecve-2022-28291cwe-522
Published: Mon Oct 17 2022 (10/17/2022, 00:00:00 UTC)
Source: CVE
Vendor/Project: n/a
Product: Nessus Professional

Description

Insufficiently Protected Credentials: An authenticated user with debug privileges can retrieve stored Nessus policy credentials from the “nessusd” process in cleartext via process dumping. The affected products are all versions of Nessus Essentials and Professional. The vulnerability allows an attacker to access credentials stored in Nessus scanners, potentially compromising its customers’ network of assets.

AI-Powered Analysis

AILast updated: 07/06/2025, 17:42:38 UTC

Technical Analysis

CVE-2022-28291 is a vulnerability classified under CWE-522 (Insufficiently Protected Credentials) affecting Nessus Essentials and Professional, specifically version 10.1.1. The issue arises because an authenticated user with debug privileges can extract stored Nessus policy credentials in cleartext by performing a process dump of the "nessusd" process. Nessus is a widely used vulnerability scanner that stores credentials to perform authenticated scans on network assets. The vulnerability allows an attacker who has already gained authenticated access with debug privileges to escalate their access by retrieving sensitive credentials stored within the scanner. These credentials could then be used to compromise other systems within the customer’s network, potentially leading to lateral movement, data exfiltration, or further exploitation. The vulnerability does not require user interaction but does require the attacker to have authenticated debug-level access, which limits the initial attack surface. The CVSS v3.1 score is 6.5 (medium severity), reflecting the network attack vector, low attack complexity, and the requirement for privileges but no user interaction. The impact is primarily on confidentiality, as credentials are exposed in cleartext, but integrity and availability are not directly affected. No known exploits in the wild have been reported, and no patches are explicitly linked in the provided information, indicating that remediation may require vendor updates or configuration changes to restrict debug access.

Potential Impact

For European organizations, this vulnerability poses a significant risk to the confidentiality of credentials stored within Nessus scanners. Since Nessus is commonly used by enterprises and managed security service providers (MSSPs) across Europe for vulnerability management, exploitation could lead to unauthorized access to critical network assets. Compromise of credentials stored in Nessus can facilitate lateral movement within corporate networks, enabling attackers to escalate privileges or access sensitive data. This is particularly concerning for organizations in regulated sectors such as finance, healthcare, and critical infrastructure, where data protection is paramount under GDPR and other regulations. The requirement for debug privileges means that the threat is more relevant in environments where internal users or attackers have gained some level of authenticated access, highlighting the importance of internal access controls. The exposure of credentials in cleartext also increases the risk of insider threats or attackers leveraging stolen credentials for further attacks. While no direct impact on system availability or integrity is noted, the breach of credential confidentiality can have cascading effects on overall network security posture.

Mitigation Recommendations

To mitigate this vulnerability, European organizations should take the following specific actions: 1) Immediately review and restrict debug privileges within Nessus to only the most trusted administrators, minimizing the number of users who can perform process dumps. 2) Implement strict access controls and monitoring on Nessus management interfaces and underlying hosts to detect and prevent unauthorized access or privilege escalation. 3) If possible, upgrade Nessus to a version where this vulnerability is patched; if no patch is available, contact Tenable support for guidance or apply recommended configuration changes to protect stored credentials. 4) Employ host-based security controls such as process access restrictions and memory protection to prevent unauthorized dumping of the nessusd process. 5) Regularly audit stored credentials within Nessus policies and rotate them frequently to limit the window of exposure. 6) Monitor logs for suspicious activity related to debug access or credential retrieval attempts. 7) Educate administrators about the risks of granting debug privileges and enforce the principle of least privilege. These steps go beyond generic advice by focusing on privilege restriction, credential hygiene, and host-level protections specific to the nature of this vulnerability.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
CSW
Date Reserved
2022-03-31T00:00:00.000Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682cd0fc1484d88663aecc0f

Added to database: 5/20/2025, 6:59:08 PM

Last enriched: 7/6/2025, 5:42:38 PM

Last updated: 8/15/2025, 3:25:38 PM

Views: 13

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats