Nessus Agent Zero-Day on Windows: How a Single Junction can Grant SYSTEM-Level Code Execution + Video

Listen to this Post

Featured Image

Introduction

A severe vulnerability in the widely deployed Tenable Nessus Agent for Windows allows a low-privileged attacker to achieve arbitrary code execution with the highest SYSTEM-level privileges. The attack vector leverages a classical “symlink attack” on the Windows operating system: an authenticated attacker with local access can create a malicious NTFS junction that redirects a privileged file deletion operation performed by the Nessus service. Once the agent is tricked into deleting a critical system file under its own high-integrity context, the attacker can plant a malicious payload and execute arbitrary code, completely compromising the host. This article breaks down the technical anatomy of the vulnerability (CVE-2026-33694), provides actionable detection and verification commands, and details the mandatory patching steps.

Learning Objectives

  • Understand the attack chain: Master how an NTFS junction is created and abused to turn an arbitrary file deletion flaw into full SYSTEM-level code execution.
  • Gain hands-on verification skills: Learn how to check Nessus Agent versions, detect weak directory permissions, and use Windows Sysinternals tools to monitor for junction creation on endpoints.
  • Implement effective mitigations: Know how to apply the patch (version 11.1.3), validate the upgrade, and apply a zero-trust rule for Nessus service directories to block similar attacks.

You Should Know

  1. Anatomy of the Attack: The RTLO Junction Trick

The vulnerability (CVE-2026-33694) exists because a privileged process associated with the Nessus Agent performs a file deletion operation without proper validation of directory junctions. On Windows, NTFS junctions are a type of symbolic link processed by the system’s I/O manager. When a process running as `SYSTEM` follows a junction to a different location, it retains its high integrity level. An attacker with local, authenticated access can plant a malicious junction in a location that the Nessus Agent service regularly accesses during routine operations (e.g., logging or update routines).

Step-by-step guide explaining what this does and how to use it:

An attacker would follow these steps after gaining initial low-privileged access:

  1. Reconnaissance: Identify the Nessus Agent installation path and service account (typically SYSTEM).
  2. Create a Junction Point: Using mklink /J, the attacker creates a junction inside a Nessus directory that points to a critical system protected location (e.g., `C:\Windows\System32\drivers\etc` or C:\Windows\System32\config\).
  3. Trigger the Vulnerability: The attacker forces the Nessus Agent service (running as SYSTEM) to perform a file deletion operation in the booby-trapped directory. The service deletes the OS-targeted file, corrupting system integrity or disabling a security mechanism.
  4. Payload Deployment & Execution: Once a specific critical file is missing, the attacker places a malicious binary in a location automatically executed by the system or a SYSTEM-trusted process, achieving arbitrary code execution with the highest privileges.

Verification Commands (Run as Administrator on the endpoint):

 1. Check Nessus Agent version
dir "C:\Program Files\Tenable\Nessus Agent\nessuscli.exe" /s /b
"C:\Program Files\Tenable\Nessus Agent\nessuscli.exe" -v

<ol>
<li>Detect potential junctions in the Nessus Agent directory that could be misused
dir /AL /S "C:\Program Files\Tenable\Nessus Agent"</p></li>
<li><p>Monitor real-time junction creation (using Sysinternals' Process Monitor)
Filter by Path: Contains "Nessus Agent" and Operation: "CreateFile"
and filter by Detail: Contains "ReparsePoint"

2. Patching and Hardening Step‑by‑step Guide

Tenable has addressed the vulnerability in Nessus Agent version 11.1.3 or later. Administrators must treat the patch deployment as a critical priority, especially on sensitive servers and workstations. The patch is available through the official Tenable Downloads Portal.

Step-by-step guide explaining what this does and how to use it:

Follow these steps to ensure full remediation:

  1. Verify Current Version: Log into the Windows endpoint and open a command prompt as Administrator.

2. Navigate to the Nessus Agent installation folder:

`cd “C:\Program Files\Tenable\Nessus Agent”`

3. Check the installed version:

`nessuscli.exe -v`

If the version is below 11.1.3, the system is vulnerable.
4. Download the Patch: Download the latest Nessus Agent installer (version 11.1.3 or higher) from the official Tenable Downloads Portal.

5. Apply the Update:

Run the installer (e.g., NessusAgent-11.1.3-x64.msi) with administrative privileges. Following the on-screen prompts or use the quiet installation switch for mass deployment: msiexec /i NessusAgent-11.1.3-x64.msi /qn.
6. Validate the Upgrade: After installation, re-run `nessuscli.exe -v` to confirm the version is now 11.1.3 or later.

7. Post-Patch Hardening:

  • Enforce strict access control lists (ACLs) on the Nessus Agent directory. Only the `SYSTEM` account and authorized administrators should have write access.
  • Use Windows Defender Attack Surface Reduction (ASR) rules to block the creation of symbolic links and junctions from untrusted processes.
  • Implement endpoint detection and response (EDR) to monitor for the creation of NTFS reparse points in sensitive application directories.

3. Detection and Continuous Monitoring

Beyond patching, continuous monitoring is essential to detect potential exploitation attempts or unauthorized junction creations in the environment.

Detection Queries and Hardening Commands:

Windows Event Log Monitoring (PowerShell):

 Query Security Event Log for Junction Creation (Event ID 4656 with specific attributes)
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4656} | Where-Object {$_.Message -match "REPARSE_POINT"}

Sysinternals Autoruns for Nessus Service Integrity:

 Dump Nessus service binary path and ensure it's from a trusted location
Get-WmiObject Win32_Service | Where-Object {$_.Name -like "nessus"} | Format-List Name, PathName, StartName

Linux Alternative (If Nessus Agent is ported or WSL2):

 Check for unintended symbolic links in Nessus directories
find /opt/nessus_agent -type l -ls

What Undercode Say

  • Critical Asset Acknowledgment: The Nessus Agent is a trusted tool, often deployed with high privileges on the most sensitive servers. This vulnerability inverts that trust relationship, turning a security tool into a perfect privilege escalation vector for an attacker who already has a simple user account on the machine.
  • Patch Velocity as a Security Metric: The window between disclosure and exploitation by ransomware groups or APTs is shrinking. This vulnerability is trivial to weaponize and its high impact (SYSTEM compromise) makes it an attractive target. Organizations that do not patch within days, not weeks, will be prime targets.
  • “Junction” is the New “Link”: While symlink attacks are old, modern software continues to overlook NTFS junction validation. This incident is a clear reminder for developers that any privileged file operation must authenticate the target’s canonical path before acting. Relying on a path string is never sufficient.

Prediction

This vulnerability marks a significant shift in the threat model for vulnerability management tools. We predict a sharp rise in “offensive security tooling” where attackers will specifically hunt for and weaponize flaws in security software (agents, EDRs, scanners) to disable defenses and elevate privileges simultaneously. Over the next quarter, CVE-2026-33694 will be integrated into commodity exploitation frameworks, leading to widespread scanning for vulnerable Nessus Agents. Enterprises should expect ransomware groups to use this flaw as a standard component of their lateral movement toolkit, making immediate patch application the only viable defensive posture.

▶️ Related Video (80% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Cybersecuritynews Share – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky