CVE-2025-36630: CWE-269 Improper Privilege Management in Tenable Nessus
In Tenable Nessus versions prior to 10.8.5 on a Windows host, it was found that a non-administrative user could overwrite arbitrary local system files with log content at SYSTEM privilege.
AI Analysis
Technical Summary
CVE-2025-36630 is a high-severity vulnerability affecting Tenable Nessus versions prior to 10.8.5 running on Windows hosts. The core issue is improper privilege management (CWE-269), where a non-administrative user can exploit the vulnerability to overwrite arbitrary local system files with log content at SYSTEM privilege level. This means that a user with limited permissions can escalate their privileges by manipulating Nessus's logging mechanism to write data to critical system files, potentially leading to system compromise. The vulnerability is local (AV:L), requires low attack complexity (AC:L), and limited privileges (PR:L), but no user interaction (UI:N). The scope is changed (S:C), indicating that the vulnerability affects resources beyond the initially compromised component. The impact is high on integrity (I:H) and availability (A:H), but no confidentiality impact (C:N). Although no known exploits are currently reported in the wild, the vulnerability's characteristics make it a significant risk if exploited. The lack of a patch link suggests that remediation may require updating to version 10.8.5 or later once available. This vulnerability highlights a critical flaw in how Nessus handles log file writing permissions on Windows, allowing privilege escalation through file overwrite attacks.
Potential Impact
For European organizations, this vulnerability poses a serious risk, especially for those using Tenable Nessus for vulnerability management on Windows systems. Successful exploitation could allow an attacker with limited access to escalate privileges to SYSTEM level, leading to full control over the affected host. This could result in unauthorized modification or destruction of system files, disruption of security monitoring, and potential lateral movement within networks. Given Nessus's role in security posture management, compromising it could undermine an organization's ability to detect and respond to other threats, increasing overall risk exposure. Critical infrastructure, financial institutions, and enterprises with stringent compliance requirements in Europe could face operational disruptions, data integrity issues, and regulatory consequences if this vulnerability is exploited.
Mitigation Recommendations
European organizations should prioritize upgrading Tenable Nessus installations to version 10.8.5 or later as soon as patches are available. Until then, restrict local user access on Windows hosts running Nessus to trusted administrators only, minimizing the risk of exploitation by non-privileged users. Implement strict file system permissions on Nessus log directories to prevent unauthorized write access. Employ application whitelisting and endpoint detection and response (EDR) solutions to monitor and block suspicious file modification activities. Regularly audit user privileges and Nessus configuration settings to ensure adherence to the principle of least privilege. Additionally, consider isolating Nessus scanning hosts from general user environments to reduce attack surface. Monitoring logs for unusual file overwrite attempts or privilege escalation indicators can provide early warning of exploitation attempts.
Affected Countries
Germany, United Kingdom, France, Netherlands, Italy, Spain, Sweden, Belgium, Poland, Ireland
CVE-2025-36630: CWE-269 Improper Privilege Management in Tenable Nessus
Description
In Tenable Nessus versions prior to 10.8.5 on a Windows host, it was found that a non-administrative user could overwrite arbitrary local system files with log content at SYSTEM privilege.
AI-Powered Analysis
Technical Analysis
CVE-2025-36630 is a high-severity vulnerability affecting Tenable Nessus versions prior to 10.8.5 running on Windows hosts. The core issue is improper privilege management (CWE-269), where a non-administrative user can exploit the vulnerability to overwrite arbitrary local system files with log content at SYSTEM privilege level. This means that a user with limited permissions can escalate their privileges by manipulating Nessus's logging mechanism to write data to critical system files, potentially leading to system compromise. The vulnerability is local (AV:L), requires low attack complexity (AC:L), and limited privileges (PR:L), but no user interaction (UI:N). The scope is changed (S:C), indicating that the vulnerability affects resources beyond the initially compromised component. The impact is high on integrity (I:H) and availability (A:H), but no confidentiality impact (C:N). Although no known exploits are currently reported in the wild, the vulnerability's characteristics make it a significant risk if exploited. The lack of a patch link suggests that remediation may require updating to version 10.8.5 or later once available. This vulnerability highlights a critical flaw in how Nessus handles log file writing permissions on Windows, allowing privilege escalation through file overwrite attacks.
Potential Impact
For European organizations, this vulnerability poses a serious risk, especially for those using Tenable Nessus for vulnerability management on Windows systems. Successful exploitation could allow an attacker with limited access to escalate privileges to SYSTEM level, leading to full control over the affected host. This could result in unauthorized modification or destruction of system files, disruption of security monitoring, and potential lateral movement within networks. Given Nessus's role in security posture management, compromising it could undermine an organization's ability to detect and respond to other threats, increasing overall risk exposure. Critical infrastructure, financial institutions, and enterprises with stringent compliance requirements in Europe could face operational disruptions, data integrity issues, and regulatory consequences if this vulnerability is exploited.
Mitigation Recommendations
European organizations should prioritize upgrading Tenable Nessus installations to version 10.8.5 or later as soon as patches are available. Until then, restrict local user access on Windows hosts running Nessus to trusted administrators only, minimizing the risk of exploitation by non-privileged users. Implement strict file system permissions on Nessus log directories to prevent unauthorized write access. Employ application whitelisting and endpoint detection and response (EDR) solutions to monitor and block suspicious file modification activities. Regularly audit user privileges and Nessus configuration settings to ensure adherence to the principle of least privilege. Additionally, consider isolating Nessus scanning hosts from general user environments to reduce attack surface. Monitoring logs for unusual file overwrite attempts or privilege escalation indicators can provide early warning of exploitation attempts.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- tenable
- Date Reserved
- 2025-04-15T21:50:46.277Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68646e2d6f40f0eb7290c91d
Added to database: 7/1/2025, 11:24:29 PM
Last enriched: 7/1/2025, 11:39:35 PM
Last updated: 7/2/2025, 4:56:25 AM
Views: 5
Related Threats
CVE-2025-6017: Exposure of Private Personal Information to an Unauthorized Actor in Red Hat Red Hat Advanced Cluster Management for Kubernetes 2
MediumCVE-2025-6464: CWE-502 Deserialization of Untrusted Data in wpmudev Forminator Forms – Contact Form, Payment Form & Custom Form Builder
HighCVE-2025-52463: Cross-site request forgery (CSRF) in QUALITIA CO., LTD. Active! mail 6
LowCVE-2025-52462: Cross-site scripting (XSS) in QUALITIA CO., LTD. Active! mail 6
MediumCVE-2025-6463: CWE-73 External Control of File Name or Path in wpmudev Forminator Forms – Contact Form, Payment Form & Custom Form Builder
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.