CVE-2025-36632 is a high-severity vulnerability identified in Tenable Agent versions prior to 10.8.5 running on Windows hosts. The root cause is incorrect default permissions (CWE-276) that allow a non-administrative user on the affected system to execute arbitrary code with SYSTEM-level privileges. SYSTEM is the highest privilege level on Windows, granting full control over the host, including the ability to modify system files, install or remove software, and manipulate other user accounts. The vulnerability arises because the Tenable Agent improperly sets permissions on certain files or executables, enabling privilege escalation from a low-privilege user to SYSTEM without requiring user interaction. The CVSS 3.1 base score is 7.8, reflecting a high impact on confidentiality, integrity, and availability, with low attack complexity and requiring only limited privileges (PR:L) but no user interaction (UI:N). The attack vector is local (AV:L), meaning an attacker must have some form of access to the host already, such as a standard user account. No known exploits are currently reported in the wild, but the vulnerability is publicly disclosed and patched in version 10.8.5. Given Tenable Agent's role in vulnerability management and asset discovery, compromise of the agent could allow attackers to manipulate security monitoring data or pivot to other systems within a network. This vulnerability is particularly critical because it enables privilege escalation without user interaction, increasing the risk of lateral movement and persistence within enterprise environments.

For European organizations, the impact of CVE-2025-36632 can be significant. Many enterprises and managed security service providers (MSSPs) in Europe deploy Tenable Agents for continuous vulnerability assessment and compliance monitoring. Exploitation of this vulnerability could allow attackers who have gained limited access (e.g., through phishing or insider threat) to escalate privileges to SYSTEM, thereby bypassing endpoint security controls and potentially disabling or manipulating security telemetry. This could lead to undetected breaches, data exfiltration, or ransomware deployment. Critical infrastructure sectors such as finance, healthcare, manufacturing, and government agencies in Europe rely heavily on Tenable products for security hygiene; thus, the vulnerability could undermine trust in security operations and increase the risk of large-scale incidents. Additionally, the ability to escalate privileges locally could facilitate supply chain attacks or insider threats, which are of growing concern in the European cybersecurity landscape. The lack of known exploits in the wild reduces immediate risk but does not diminish the urgency for patching, as attackers often reverse-engineer disclosed vulnerabilities rapidly.

1. Immediate upgrade to Tenable Agent version 10.8.5 or later, where the incorrect default permissions issue is resolved. 2. Conduct an audit of all Windows hosts running Tenable Agent to identify and remediate any instances of vulnerable versions. 3. Implement strict local user account management policies to limit the number of users with local access, reducing the attack surface for local privilege escalation. 4. Employ endpoint detection and response (EDR) solutions capable of detecting anomalous privilege escalation behaviors, such as unexpected SYSTEM-level process creation by non-administrative users. 5. Regularly review and harden file system permissions on critical security agent files and executables, ensuring they are not writable or executable by unauthorized users. 6. Integrate vulnerability management with patch management workflows to ensure rapid deployment of security updates. 7. Monitor security logs for unusual activity related to Tenable Agent processes or unexpected privilege escalations. 8. For environments where immediate patching is not feasible, consider temporarily restricting local user access or using application control policies to prevent execution of unauthorized code by low-privilege users.