A high-severity vulnerability exists in certain versions of Tenable Nessus products, allowing an authenticated attacker to execute arbitrary commands on the server. Successful exploitation could lead to a complete compromise of the vulnerability scanning infrastructure, enabling the attacker to steal sensitive credentials stored by Nessus and use the scanner to attack other systems within the network.

The vulnerability is an OS command injection flaw within the web interface of the affected products. An authenticated attacker with privileges to create or modify scan policies can inject specially crafted commands into certain input fields of the policy configuration. Due to improper input sanitization, these commands are executed by the underlying operating system with the same permissions as the Nessus service, which are often highly privileged.

This vulnerability is rated as High severity with a CVSS score of 8.4. A successful exploit would have a significant business impact, leading to a complete compromise of the organization's vulnerability management platform. Potential consequences include the theft of high-privilege credentials (e.g., domain administrator accounts, SSH keys, database passwords) used for authenticated scans, unauthorized access to sensitive vulnerability data, and the ability for an attacker to use the trusted Nessus scanner as a pivot point to launch further attacks against the internal network. This undermines the integrity of the security program and poses a direct risk to critical business systems.

Immediate Action: The primary remediation is to upgrade all affected Tenable products to a patched version as specified by the vendor. Organizations should consult the official Tenable advisory and immediately apply the necessary updates to eliminate the vulnerability.

Proactive Monitoring: Organizations should monitor for signs of compromise, including:

• Logs: Review Nessus audit logs for unusual or unauthorized modifications to scan policies. Check system-level logs on the Nessus server for unexpected processes being spawned by the nessusd or equivalent service.
• Network Traffic: Monitor for anomalous outbound network connections from the Nessus server to unknown or suspicious IP addresses, which could indicate a reverse shell.
• System Behavior: Utilize EDR or similar host-monitoring tools to detect abnormal command-line executions or file modifications originating from the Nessus application process.

Compensating Controls: If patching cannot be performed immediately, the following controls can help mitigate risk:

• Restrict administrative access to the Nessus web interface to a minimum number of trusted personnel.
• Enforce Multi-Factor Authentication (MFA) for all users accessing the Nessus console.
• Implement strict network segmentation to isolate the Nessus server, limiting its ability to communicate with non-essential systems.
• Place a Web Application Firewall (WAF) in front of the Nessus web interface to inspect and block malicious payloads indicative of command injection.

Public Exploit Available: False

Given the High severity rating (CVSS 8.4) and the critical role of the Tenable Nessus scanner within the security infrastructure, organizations must treat this vulnerability with high urgency. It is strongly recommended that organizations prioritize the immediate application of the vendor-supplied patches to all affected instances. While there is no known active exploitation, the potential for complete system compromise makes this an attractive target for threat actors. If patching is delayed, the compensating controls listed above should be implemented immediately to reduce the attack surface.