EUVD-2025-18396
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
In Tenable Agent versions prior to 10.8.5 on a Windows host, it was found that a non-administrative user could execute code with SYSTEM privilege.
Analysis
Privilege escalation vulnerability in Tenable Agent for Windows (versions prior to 10.8.5) that allows a non-administrative local user to execute arbitrary code with SYSTEM-level privileges. This is a local privilege escalation (LPE) vulnerability with high severity (CVSS 7.8) requiring only local access and low complexity exploitation. The vulnerability represents a critical risk in multi-user Windows environments where standard users could gain complete system control.
Technical Context
The vulnerability exists in Tenable Agent, a endpoint detection and response (EDR) / vulnerability assessment agent deployed on Windows systems. The root cause is classified under CWE-276 (Incorrect Default Permissions), indicating improper access controls on a critical system resource or service. Tenable Agent typically runs with elevated privileges to perform system-level vulnerability scanning and monitoring. The vulnerability allows privilege escalation from a standard user context to SYSTEM, suggesting either: (1) an insecure service running as SYSTEM that can be exploited by unprivileged users, (2) improper file/registry permissions on agent components, or (3) insecure inter-process communication (IPC) mechanisms. The Local Attack Vector (AV:L) and Low Attack Complexity (AC:L) indicate the flaw is likely trivial to exploit once a user has local access—no special conditions or sophisticated techniques required. The vulnerability affects Windows deployments specifically, as the advisory explicitly mentions 'Windows host.'
Affected Products
Tenable Agent for Windows, all versions prior to 10.8.5. The specific vulnerability is tied to the Windows platform (not Linux/macOS variants of the agent). Organizations should inventory all Tenable Agent installations on Windows across their infrastructure. Tenable Agent is commonly deployed in enterprise vulnerability management, threat detection, and compliance monitoring contexts. The scope of impact depends on deployment breadth—organizations with widespread Tenable Agent deployments face significant exposure. CPE would be of the form: cpe:2.3:a:tenable:tenable_agent:*:*:*:*:*:windows:*:* (versions < 10.8.5). Patch availability: Tenable has released version 10.8.5 as the remediated version.
Remediation
Immediate actions: (1) Upgrade Tenable Agent to version 10.8.5 or later on all Windows systems. Tenable has provided a patched version; deployment should be prioritized. (2) For systems that cannot be immediately patched, implement compensating controls: restrict local user access to systems running vulnerable Tenable Agent; disable or suspend non-essential local user accounts; use OS-level privilege policies to limit local user capability. (3) Monitor for exploitation attempts: audit local code execution events, system-level process spawning, and unexpected SYSTEM-context processes originating from standard user sessions. (4) Review Tenable advisories and security bulletins for detailed patch notes and deployment instructions. (5) Test patches in a non-production environment before widespread rollout to ensure compatibility with monitoring requirements. Recommend mandatory upgrade timeline: critical systems within 7 days, all systems within 30 days.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today