CVE-2025-24916 is a high-severity vulnerability affecting Tenable Network Monitor versions prior to 6.5.1 when installed on Windows hosts in a non-default directory. The issue arises from improper access control (CWE-284) on sub-directories within the custom installation path. Specifically, the software fails to enforce secure permissions on these sub-directories, potentially allowing local users with limited privileges to escalate their rights on the affected system. This vulnerability is classified as a local privilege escalation (LPE) flaw, meaning an attacker must already have some level of access to the host but can leverage this weakness to gain higher privileges, such as administrative or SYSTEM level. The CVSS 3.1 score of 7.0 reflects a high impact on confidentiality, integrity, and availability, with an attack vector limited to local access, requiring high attack complexity and low privileges but no user interaction. The scope remains unchanged, indicating the vulnerability affects only the local system context. Although no known exploits are reported in the wild, the vulnerability poses a significant risk in environments where Tenable Network Monitor is deployed in non-default locations without proper directory permission hardening. This misconfiguration could be exploited by malicious insiders or attackers who have gained limited local access to elevate privileges and potentially compromise the entire host or network monitoring infrastructure.

For European organizations, this vulnerability could have serious consequences, especially in sectors relying heavily on network monitoring for security and compliance, such as finance, healthcare, critical infrastructure, and government. Successful exploitation could allow attackers to gain administrative control over the monitoring host, enabling them to tamper with monitoring data, disable security alerts, or pivot to other internal systems. This undermines the integrity and availability of security monitoring, potentially delaying detection of further attacks or data breaches. Given that Tenable Network Monitor is widely used in enterprise environments across Europe, organizations that have customized installation paths without enforcing strict directory permissions are at heightened risk. The impact is amplified in regulated industries subject to GDPR and other data protection laws, where unauthorized access and data integrity issues can lead to significant legal and financial penalties. Additionally, the local nature of the exploit means insider threats or attackers who have already compromised a low-privilege account pose the greatest risk, emphasizing the need for robust internal security controls.

To mitigate this vulnerability, European organizations should: 1) Immediately upgrade Tenable Network Monitor to version 6.5.1 or later, where the issue is resolved. 2) Review and enforce strict NTFS permissions on all Tenable Network Monitor installation directories, especially if installed in non-default locations, ensuring only authorized system accounts and administrators have write or modify access. 3) Implement regular audits of directory permissions and file integrity monitoring on critical security infrastructure hosts. 4) Limit local user accounts and apply the principle of least privilege to reduce the risk of local exploitation. 5) Employ endpoint detection and response (EDR) solutions to monitor for suspicious privilege escalation activities. 6) Educate system administrators about the risks of non-default installations without proper permission hardening. 7) Consider deploying Tenable Network Monitor in default installation paths where secure permissions are enforced by default, if operationally feasible.