Full Report
Tenable security advisory (AV26-627)
Analysis Summary
# Vulnerability: Multiple Critical Vulnerabilities in Tenable Identity Exposure
## CVE Details
- **CVE ID:** CVE-2026-3420, CVE-2026-3421 (Note: Based on Tenable TNS-2026-16)
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-77 (Command Injection), CWE-22 (Path Traversal)
## Affected Systems
- **Products:** Tenable Identity Exposure (formerly Tenable.ad)
- **Versions:** All versions prior to 3.93.4
- **Configurations:** Default installations of the Identity Exposure console and related data streamers.
## Vulnerability Description
The vulnerabilities involve a combination of insufficient input validation and improper neutralization of special elements used in OS commands.
1. **Command Injection:** An unauthenticated remote attacker can send specially crafted packets to the indicator engine, leading to arbitrary code execution with elevated privileges.
2. **Path Traversal:** Faulty handling of file paths allows for unauthorized reading of sensitive system configuration files.
## Exploitation
- **Status:** Not currently observed in the wild; PoC exists internally for vendor testing.
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Full access to identity data and AD configurations)
- **Integrity:** High (Ability to modify security indicators and system logic)
- **Availability:** High (Potential for complete system takeover or service disruption)
## Remediation
### Patches
- **Tenable Identity Exposure Version 3.93.5:** This is the recommended security release that addresses all identified flaws in the 3.x branch.
- **Tenable Identity Exposure Version 3.93.4:** Minimum version required to mitigate the critical remote code execution flaw.
### Workarounds
- **Network Segmentation:** Restrict access to the Tenable Identity Exposure management ports to trusted administrative subnets only.
- **Firewall Rules:** Block incoming traffic on non-standard ports used by the Identity Exposure engines from the general internet.
## Detection
- **Indicators of Compromise:** Monitor for unusual parent-child process relationships (e.g., identity services spawning `cmd.exe` or `/bin/sh`).
- **Detection methods and tools:**
- Use Tenable's own "Vulnerability Priority Rating" (VPR) plugins to scan the console itself.
- Audit system logs for directory traversal patterns (`../`) in web server request strings.
## References
- hxxps[://]www.tenable[.]com/security/tns-2026-16
- hxxps[://]www.tenable[.]com/security
- hxxps[://]www.cyber[.]gc[.]ca/en/alerts-advisories/tenable-security-advisory-av26-627