Skip to main content

Tenable Agent EUVDEUVD-2026-43701

| CVE-2026-15265 CRITICAL
Path Traversal (CWE-22)
2026-07-14 tenable GHSA-h23h-6wgx-rvw7
9.4
CVSS 4.0 · Vendor: tenable
Share

Severity by source

Vendor (tenable) PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.1 CRITICAL

Privileged control over the plugin input is required (PR:H) and traversal is straightforward (AC:L); the write executes as a higher-privileged service crossing a trust boundary, so S:C with full C/I/A impact.

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (tenable).

CVSS VectorVendor: tenable

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jul 14, 2026 - 15:38 vuln.today
CVSS changed
Jul 14, 2026 - 15:22 NVD
9.1 (CRITICAL) 9.4 (CRITICAL)
CVE Published
Jul 14, 2026 - 15:02 cve.org
CRITICAL 9.4

DescriptionCVE.org

A path traversal vulnerability in Tenable Agent 11.2.0 and 11.1.3 and lower allows a privileged attacker to write arbitrary files outside the intended plugin directory, potentially leading to remote code execution.

AnalysisAI

Arbitrary file write via path traversal in Tenable Agent 11.2.0 and 11.1.3 and earlier lets a privileged attacker escape the intended plugin directory and drop files at attacker-chosen paths, potentially escalating to remote code execution. The flaw is vendor-reported (Tenable TNS-2026-18) and affects the endpoint scanning agent that typically runs with elevated/service privileges. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain privileged control of agent plugin input
Delivery
Craft plugin package with '../' traversal
Exploit
Agent writes file outside plugin directory
Execution
Malicious file lands in executed path
Persist
Privileged agent loads file
Impact
Execute code as agent service account

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to already hold high privileges (CVSS PR:H) over the agent's file-write path - specifically the ability to supply or manipulate the plugin content/directory that Tenable Agent 11.2.0 or 11.1.3-and-lower unpacks, such as control of the linked management controller or a privileged local position on the host. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score is 9.4 (Critical) with vector AV:N/AC:L/AT:N/PR:H/UI:N and high impact to both the vulnerable system (VC/VI/VA:H) and subsequent systems (SC/SI/SA:H), reflecting a scope-changing compromise. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has gained privileged control over an agent's update/plugin input (for example a compromised management link or local privileged foothold) supplies a plugin package containing '../' path components, causing the agent to write a malicious file outside the plugin directory into an auto-executed location. When that file is subsequently loaded by the privileged agent process, the attacker's code runs with the agent's elevated rights. …
Remediation Upgrade Tenable Agent to the fixed release identified in Tenable's advisory TNS-2026-18 (https://www.tenable.com/security/tns-2026-18) - the input data names 11.2.0 and 11.1.3-and-lower as vulnerable but does not include an exact fixed version string, so confirm the patched build number directly from that advisory before deploying (do not assume a version). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Tenable Agent installations and document deployed versions across your infrastructure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43701 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy