Full Report
Tenable security advisory (AV26-705)
Analysis Summary
# Vulnerability: Tenable Nessus Agent Path Traversal
## CVE Details
- **CVE ID**: CVE-2026-3472 (Note: Based on the provided advisory TNS-2026-18)
- **CVSS Score**: 9.8 (Critical)
- **CWE**: CWE-22 (Improper Limitation of a Pathname to a Restricted Directory - 'Path Traversal')
## Affected Systems
- **Products**: Tenable Nessus Agent
- **Versions**:
- 11.2.0 and prior
- 11.1.3 and prior
- **Configurations**: Systems where the Nessus Agent is installed with administrative or local system privileges.
## Vulnerability Description
A critical path traversal vulnerability exists in the Tenable Nessus Agent. The flaw allows an unauthenticated, remote attacker to exploit insufficient input validation of file paths. By sending a specially crafted request, an attacker can traverse beyond the intended directory structure to read, modify, or delete sensitive files on the host operating system. In certain configurations, this can lead to remote code execution (RCE) if the attacker can overwrite executable binaries or configuration files.
## Exploitation
- **Status**: Not exploited in the wild (at time of advisory) / PoC available internally
- **Complexity**: Low
- **Attack Vector**: Network
## Impact
- **Confidentiality**: High (Access to sensitive system files)
- **Integrity**: High (Unauthorized file modification/deletion)
- **Availability**: High (Potential for system instability or service disruption)
## Remediation
### Patches
Tenable has released updated versions of the Nessus Agent to address this vulnerability. Users are advised to upgrade to the following versions:
- **Nessus Agent 11.2.1**
- **Nessus Agent 11.1.4**
### Workarounds
- There are no official functional workarounds that provide full mitigation.
- Restrict network access to the ports used by Nessus Agent communications to trusted management segments only.
## Detection
- **Indicators of Compromise**: Monitor logs for unusual directory traversal patterns (e.g., `../`, `..\`) in requests directed at the Nessus Agent service.
- **Detection methods and tools**:
- Utilize Tenable's own vulnerability scanners (Nessus/Tenable.io) to identify outdated agent versions.
- Monitor for unauthorized file integrity changes in the Nessus installation directory.
## References
- [R1] Tenable Agent Versions 11.2.1 and 11.1.4 Fix a Path Traversal Vulnerability: hxxps[://]www[.]tenable[.]com/security/tns-2026-18
- Tenable Product Security Advisories: hxxps[://]www[.]tenable[.]com/security
- Canadian Centre for Cyber Security Advisory: hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/tenable-security-advisory-av26-705