Tenable Nessus Agent Arbitrary File Deletion via Symbolic Link (CVE-2026-33694)

[R1] Nessus Agent Version 11.1.3 Fixes Arbitrary File Deletion Vulnerability Overview A vulnerability was discovered in Nessus Agent on Windows that allows an attacker to create symbolic links (junctions) and thereby delete arbitrary files with SYSTEM privileges. This may lead to arbitrary code execution, enabling the attacker to run malicious code with elevated permissions. CVE ID: CVE-2026-33694 Tenable Advisory ID: TNS-2026-12 Risk Factor: High CVSSv3 Base / Temporal Score: 8.2 / 7.4 CVSSv4 Base Score: 7.4 CWE: CWE-59: Improper Link Resolution Before File Access ("Link Following") Affected Scope Nessus Agent 11.1.2 and earlier versions Remediation Upgrade to Nessus Agent 11.1.3 to address this issue. Installation files are available from the Tenable Downloads Portal (path: nessus-agents). Disclosure Timeline 2025-12-29: Report received by Tenable. 2026-02-18: Report accepted by Tenable. 2026-03-23: CVE ID requested / CVSS score calculated. 2026-04-23: Nessus Agent 11.1.3 released. Recommendations Tenable takes product security very seriously. If you believe you have discovered a vulnerability in a Tenable product, please contact us as soon as possible so we can respond quickly and resolve the issue. For more information, see the Vulnerability Reporting Guidelines.

Goal Reached Thanks to every supporter — we hit 100%!

Tenable Nessus Agent Arbitrary File Deletion via Symbolic Link (CVE-2026-33694)