CVE-2025-36640 Overview
A privilege escalation vulnerability has been identified in the installation and uninstallation process of the Nessus Agent Tray App on Windows Hosts. This flaw allows a local attacker with limited privileges to escalate their access to higher privilege levels during the software installation or removal workflow, potentially gaining administrative control over the affected system.
Critical Impact
Local attackers can exploit this vulnerability during Nessus Agent Tray App installation or uninstallation to gain elevated system privileges on Windows hosts.
Affected Products
- Tenable Nessus Agent Tray App for Windows (affected versions specified in vendor advisory)
Discovery Timeline
- 2026-01-13 - CVE-2025-36640 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2025-36640
Vulnerability Analysis
This vulnerability is classified under CWE-269 (Improper Privilege Management), indicating a fundamental flaw in how the Nessus Agent Tray App handles privilege levels during its installation and uninstallation processes. The attack requires local access to the target Windows host and takes advantage of improper privilege controls during software lifecycle operations.
The vulnerability exists specifically within the install/uninstall workflow of the Nessus Agent Tray App. During these operations, the software may execute with elevated privileges or fail to properly validate and restrict privilege levels, creating an opportunity for attackers to inject malicious operations that inherit these elevated privileges.
Root Cause
The root cause stems from improper privilege management (CWE-269) within the installation and uninstallation routines of the Nessus Agent Tray App. Windows installers often require administrative privileges to modify system directories, registry keys, and services. When these elevated operations are not properly isolated or when intermediate processes run with unnecessarily high privileges, local attackers can exploit these conditions to escalate their own privilege levels.
Attack Vector
The attack vector is local, meaning an attacker must already have some level of access to the target Windows system. The exploitation scenario involves:
- The attacker gains initial access to a Windows host with the Nessus Agent Tray App installed or pending installation
- The attacker waits for or triggers an installation or uninstallation event
- During the privileged installation/uninstallation process, the attacker exploits the improper privilege management flaw
- The attacker successfully escalates privileges beyond their initial access level
This type of vulnerability is particularly concerning in enterprise environments where the Nessus Agent is deployed across numerous endpoints for vulnerability scanning purposes. The exploitation mechanism during install/uninstall workflows can potentially allow attackers to move from low-privileged user access to SYSTEM-level privileges on Windows hosts.
Detection Methods for CVE-2025-36640
Indicators of Compromise
- Unexpected privilege escalation events during Nessus Agent Tray App installation or uninstallation processes
- Anomalous child processes spawned by the Nessus Agent installer with elevated privileges
- Suspicious modifications to system files or registry keys during Nessus Agent lifecycle operations
- Windows Security Event logs showing privilege changes correlated with Nessus Agent installation activities
Detection Strategies
- Monitor Windows Security Event logs (Event IDs 4624, 4672, 4688) for privilege escalation patterns during software installation events
- Implement application whitelisting to detect unauthorized executables spawned during Nessus Agent operations
- Deploy endpoint detection and response (EDR) solutions to monitor for suspicious process hierarchies during install/uninstall workflows
- Create alerts for unexpected SYSTEM-level process creation tied to Nessus Agent components
Monitoring Recommendations
- Configure centralized logging for all Nessus Agent installation and uninstallation activities across the enterprise
- Implement SentinelOne's behavioral AI to detect privilege escalation attempts during software lifecycle events
- Enable enhanced Windows audit policies for process creation and privilege use on systems with Nessus Agent deployed
- Regularly review and audit installation logs for anomalous behavior patterns
How to Mitigate CVE-2025-36640
Immediate Actions Required
- Review the Tenable Security Advisory for specific version information and apply available patches
- Limit installation and uninstallation privileges to trusted administrators only
- Implement additional access controls on systems where Nessus Agent is deployed
- Monitor for any suspicious activity during Nessus Agent software lifecycle operations until patches are applied
Patch Information
Tenable has released a security advisory addressing this vulnerability. Organizations should consult the Tenable Security Advisory (TNS-2026-01) for specific patch versions and upgrade instructions. It is recommended to update to the latest version of the Nessus Agent Tray App that addresses this privilege escalation vulnerability.
Workarounds
- Restrict local access to systems where Nessus Agent installation/uninstallation may occur to trusted personnel only
- Implement the principle of least privilege for all user accounts on Windows hosts with Nessus Agent
- Consider temporarily disabling or removing the Nessus Agent Tray App component if not operationally required until patching is complete
- Use application control policies to prevent unauthorized modifications during software lifecycle events
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
