Skip to main content

Nessus Network Monitor CVE-2025-24916

HIGH
Improper Access Control (CWE-284)
2025-05-23 vulnreport@tenable.com
7.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.0 HIGH
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 28, 2026 - 18:43 vuln.today
CVE Published
May 23, 2025 - 16:15 nvd
HIGH 7.0

DescriptionCVE.org

When installing Tenable Network Monitor to a non-default location on a Windows host, Tenable Network Monitor versions prior to 6.5.1 did not enforce secure permissions for sub-directories. This could allow for local privilege escalation if users had not secured the directories in the non-default installation location.

AnalysisAI

When installing Tenable Network Monitor to a non-default location on a Windows host, Tenable Network Monitor versions prior to 6.5.1 did not enforce secure permissions for sub-directories. Rated high severity (CVSS 7.0). No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-284. When installing Tenable Network Monitor to a non-default location on a Windows host, Tenable Network Monitor versions prior to 6.5.1 did not enforce secure permissions for sub-directories. This could allow for local privilege escalation if users had not secured the directories in the non-default installation location. Affected products include: Tenable Nessus Network Monitor. Version information: prior to 6.5.1.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2021-3711 CRITICAL
9.8 Aug 24

In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Rated cri

CVE-2023-5622 HIGH
8.8 Oct 26

Under certain conditions, Nessus Network Monitor could allow a low privileged user to escalate privileges to NT AUTHORIT

CVE-2023-5623 HIGH
7.8 Oct 26

NNM failed to properly set ACLs on its installation directory, which could allow a low privileged user to run arbitrary

CVE-2020-5794 HIGH
7.8 Nov 06

A vulnerability in Nessus Network Monitor versions 5.11.0, 5.11.1, and 5.12.0 for Windows could allow an authenticated l

CVE-2021-23840 HIGH
7.5 Feb 16

Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases

CVE-2021-3450 HIGH
7.4 Mar 25

The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain.

CVE-2023-5624 HIGH
7.2 Oct 26

Under certain conditions, Nessus Network Monitor was found to not properly enforce input validation. Rated high severity

CVE-2020-1971 MEDIUM
5.9 Dec 08

The X.509 GeneralName type is a generic type for representing different types of names. Rated medium severity (CVSS 5.9)

CVE-2021-3449 MEDIUM
5.9 Mar 25

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. Rated med

CVE-2021-23841 MEDIUM
5.9 Feb 16

The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer

CVE-2024-9158 MEDIUM
4.6 Sep 30

A stored cross site scripting vulnerability exists in Nessus Network Monitor where an authenticated, privileged local at

CVE-2025-24917 HIGH
7.8 May 23

In Tenable Network Monitor versions prior to 6.5.1 on a Windows host, it was found that a non-administrative user could

Share

CVE-2025-24916 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy