A high-severity vulnerability has been discovered in the installation and uninstallation process for the Nessus Agent Tray App on Windows systems. This flaw could allow a local attacker with standard user permissions to gain full administrative control over the affected computer. Successful exploitation would lead to a complete system compromise, enabling the attacker to steal data, install malware, and disrupt operations.

This is a local privilege escalation vulnerability affecting Windows hosts. The flaw exists within the installer/uninstaller component of the Nessus Agent Tray App. An authenticated attacker with low-level privileges on the local system can exploit this vulnerability by manipulating files or processes during an installation or uninstallation routine. For example, the attacker could place a malicious executable in a location where the installer, running with SYSTEM-level privileges, is expected to execute a legitimate file, leading to the execution of the attacker's code with elevated permissions.

This vulnerability is rated as High severity with a CVSS score of 8.8. If exploited, an attacker could escalate their privileges from a standard user to a full administrator or SYSTEM, effectively gaining complete control of the compromised host. This level of access would allow the threat actor to bypass security controls, access or exfiltrate sensitive data, install persistent malware such as ransomware or keyloggers, and use the compromised system as a pivot point to move laterally across the network, escalating the incident significantly.

Immediate Action: Apply the security updates provided by the vendor to all affected systems immediately. After patching, it is crucial to monitor systems for any signs of post-exploitation activity and review system and application access logs for unusual or unauthorized actions related to the affected software.

Proactive Monitoring: Organizations should configure security monitoring tools (e.g., SIEM, EDR) to detect and alert on suspicious activities. Key indicators to monitor include:

• Unexpected modifications to directories and files associated with the Nessus Agent.
• Unusual processes being executed by the Windows Installer service (msiexec.exe) or other installer/uninstaller processes.
• Creation of new local user accounts, especially those with administrative privileges.
• Anomalous system calls or file executions originating from the Nessus Agent Tray App process.

Compensating Controls: If immediate patching is not feasible, the following controls can help reduce risk:

• Restrict software installation and uninstallation privileges to a limited group of trusted administrators.
• Implement application whitelisting to prevent the execution of unauthorized executables in directories used by the installer.
• Enforce the principle of least privilege for all user accounts to limit the initial attack surface.

Public Exploit Available: false

Given the high CVSS score of 8.8 and the potential for complete system compromise, this vulnerability poses a significant risk to the organization. We strongly recommend that all system administrators prioritize the immediate deployment of the vendor-supplied security patches to all affected Windows hosts. Although there is no current evidence of active exploitation, the technical details will likely become public, increasing the probability of exploit development. Proactive patching is the most effective strategy to prevent potential exploitation by attackers who may have already established a foothold in the environment.