CVE-2025-36633: CWE-269 Improper Privilege Management in Tenable Agent
In Tenable Agent versions prior to 10.8.5 on a Windows host, it was found that a non-administrative user could arbitrarily delete local system files with SYSTEM privilege, potentially leading to local privilege escalation.
AI Analysis
Technical Summary
CVE-2025-36633 is a high-severity vulnerability affecting Tenable Agent versions prior to 10.8.5 on Windows hosts. The root cause is improper privilege management (CWE-269), where a non-administrative user can delete local system files with SYSTEM-level privileges. This vulnerability arises because the Tenable Agent improperly exposes privileged file deletion capabilities to users without administrative rights. Exploiting this flaw allows an attacker with limited local access to escalate their privileges to SYSTEM, the highest level on Windows, enabling full control over the affected machine. The vulnerability has a CVSS 3.1 base score of 8.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and no user interaction required. The scope is changed, meaning the vulnerability affects resources beyond the initially compromised component. Although no known exploits are currently reported in the wild, the ease of exploitation and severity make this a critical concern for organizations using Tenable Agent on Windows endpoints. The vulnerability can lead to unauthorized deletion of critical system files, potentially causing system instability, denial of service, or enabling further malicious activities such as persistence, data theft, or lateral movement within a network.
Potential Impact
For European organizations, this vulnerability poses significant risks, especially those relying on Tenable Agent for vulnerability management and endpoint security. Successful exploitation could allow attackers to gain SYSTEM privileges on Windows hosts, undermining endpoint security controls and potentially compromising sensitive data. This can disrupt business operations, lead to data breaches, and damage organizational reputation. Critical infrastructure sectors, financial institutions, and government agencies in Europe that deploy Tenable Agent extensively are at heightened risk. The ability to escalate privileges locally could facilitate insider threats or be leveraged by malware and ransomware operators to gain deeper footholds. Additionally, the vulnerability could affect compliance with European data protection regulations such as GDPR if exploited to access or alter protected data. The absence of known exploits currently provides a window for mitigation, but the high severity and ease of exploitation necessitate urgent attention.
Mitigation Recommendations
1. Immediate upgrade: Organizations should prioritize upgrading Tenable Agent to version 10.8.5 or later, where this vulnerability is fixed. 2. Restrict local access: Limit local user accounts on Windows hosts running Tenable Agent to only trusted personnel, reducing the attack surface for privilege escalation. 3. Implement application whitelisting and endpoint detection: Use endpoint protection solutions to monitor and block unauthorized attempts to delete system files or escalate privileges. 4. Harden system permissions: Review and tighten NTFS permissions on system files and directories to prevent unauthorized deletions, even if the agent is compromised. 5. Monitor logs: Enable detailed auditing of file deletions and privilege escalations on Windows hosts to detect suspicious activities early. 6. Network segmentation: Isolate critical systems running Tenable Agent to limit lateral movement in case of compromise. 7. Incident response readiness: Prepare playbooks for local privilege escalation incidents and conduct regular drills to ensure rapid containment. These steps go beyond generic patching advice by focusing on access control, monitoring, and layered defenses tailored to the nature of this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Belgium, Poland, Switzerland
CVE-2025-36633: CWE-269 Improper Privilege Management in Tenable Agent
Description
In Tenable Agent versions prior to 10.8.5 on a Windows host, it was found that a non-administrative user could arbitrarily delete local system files with SYSTEM privilege, potentially leading to local privilege escalation.
AI-Powered Analysis
Technical Analysis
CVE-2025-36633 is a high-severity vulnerability affecting Tenable Agent versions prior to 10.8.5 on Windows hosts. The root cause is improper privilege management (CWE-269), where a non-administrative user can delete local system files with SYSTEM-level privileges. This vulnerability arises because the Tenable Agent improperly exposes privileged file deletion capabilities to users without administrative rights. Exploiting this flaw allows an attacker with limited local access to escalate their privileges to SYSTEM, the highest level on Windows, enabling full control over the affected machine. The vulnerability has a CVSS 3.1 base score of 8.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and no user interaction required. The scope is changed, meaning the vulnerability affects resources beyond the initially compromised component. Although no known exploits are currently reported in the wild, the ease of exploitation and severity make this a critical concern for organizations using Tenable Agent on Windows endpoints. The vulnerability can lead to unauthorized deletion of critical system files, potentially causing system instability, denial of service, or enabling further malicious activities such as persistence, data theft, or lateral movement within a network.
Potential Impact
For European organizations, this vulnerability poses significant risks, especially those relying on Tenable Agent for vulnerability management and endpoint security. Successful exploitation could allow attackers to gain SYSTEM privileges on Windows hosts, undermining endpoint security controls and potentially compromising sensitive data. This can disrupt business operations, lead to data breaches, and damage organizational reputation. Critical infrastructure sectors, financial institutions, and government agencies in Europe that deploy Tenable Agent extensively are at heightened risk. The ability to escalate privileges locally could facilitate insider threats or be leveraged by malware and ransomware operators to gain deeper footholds. Additionally, the vulnerability could affect compliance with European data protection regulations such as GDPR if exploited to access or alter protected data. The absence of known exploits currently provides a window for mitigation, but the high severity and ease of exploitation necessitate urgent attention.
Mitigation Recommendations
1. Immediate upgrade: Organizations should prioritize upgrading Tenable Agent to version 10.8.5 or later, where this vulnerability is fixed. 2. Restrict local access: Limit local user accounts on Windows hosts running Tenable Agent to only trusted personnel, reducing the attack surface for privilege escalation. 3. Implement application whitelisting and endpoint detection: Use endpoint protection solutions to monitor and block unauthorized attempts to delete system files or escalate privileges. 4. Harden system permissions: Review and tighten NTFS permissions on system files and directories to prevent unauthorized deletions, even if the agent is compromised. 5. Monitor logs: Enable detailed auditing of file deletions and privilege escalations on Windows hosts to detect suspicious activities early. 6. Network segmentation: Isolate critical systems running Tenable Agent to limit lateral movement in case of compromise. 7. Incident response readiness: Prepare playbooks for local privilege escalation incidents and conduct regular drills to ensure rapid containment. These steps go beyond generic patching advice by focusing on access control, monitoring, and layered defenses tailored to the nature of this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- tenable
- Date Reserved
- 2025-04-15T21:50:46.277Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 684c36f0a8c9212743809716
Added to database: 6/13/2025, 2:34:24 PM
Last enriched: 6/13/2025, 2:49:42 PM
Last updated: 8/12/2025, 9:44:10 PM
Views: 13
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.