CVE-2026-2026 Overview
A vulnerability has been identified in Tenable Nessus Agent where weak file permissions in the Nessus Agent directory on Windows hosts could allow unauthorized access, potentially permitting Denial of Service (DoS) attacks. This Insecure Permissions vulnerability (CWE-276) affects the local file system configuration of Nessus Agent installations on Windows operating systems.
Critical Impact
Local attackers with low privileges can exploit weak file permissions in the Nessus Agent directory to cause a Denial of Service condition, disrupting vulnerability scanning capabilities and potentially leaving systems unmonitored.
Affected Products
- Tenable Nessus Agent for Windows (vulnerable versions prior to patch)
Discovery Timeline
- February 13, 2026 - CVE-2026-2026 published to NVD
- February 13, 2026 - Last updated in NVD database
Technical Details for CVE-2026-2026
Vulnerability Analysis
This vulnerability stems from Incorrect Default Permissions (CWE-276) in the Nessus Agent installation directory on Windows systems. When the Nessus Agent is installed, the directory permissions are configured in a way that grants excessive access to local users beyond what is necessary for normal operation.
The local attack vector means an attacker must have existing access to the Windows host where Nessus Agent is installed. While the confidentiality impact is limited, the availability impact is high, meaning attackers can significantly disrupt the Nessus Agent service. This could prevent the agent from performing vulnerability scans, reporting to Tenable.io or Nessus Manager, and potentially leave security gaps in an organization's vulnerability management program.
Root Cause
The root cause of CVE-2026-2026 is the assignment of incorrect default permissions during the Nessus Agent installation process on Windows hosts. The installation routine fails to properly restrict access to the Nessus Agent directory structure, allowing local users with low privileges to interact with files and directories they should not have access to.
This permissive configuration violates the principle of least privilege, where file system objects should only be accessible to the users and processes that require them for legitimate operations. In this case, the Nessus Agent service account and administrative users should be the only entities with write access to these directories.
Attack Vector
The attack requires local access to a Windows host where Nessus Agent is installed. An attacker with low-privilege access to the system can leverage the weak file permissions to:
- Modify or delete critical Nessus Agent files
- Corrupt configuration files required for agent operation
- Interfere with the agent's communication with its management server
- Cause the Nessus Agent service to crash or become unresponsive
The vulnerability can be exploited through standard Windows file system operations without requiring elevated privileges, making it accessible to any authenticated local user on the affected system.
Detection Methods for CVE-2026-2026
Indicators of Compromise
- Unexpected modifications to files within the Nessus Agent installation directory
- Nessus Agent service failures or unexpected restarts
- Missing or corrupted Nessus Agent configuration files
- Audit logs showing unauthorized access attempts to C:\Program Files\Tenable\Nessus Agent\ or similar installation paths
Detection Strategies
- Implement file integrity monitoring (FIM) on the Nessus Agent installation directory to detect unauthorized changes
- Configure Windows Security Event logging to capture file access events (Event IDs 4656, 4663) on the Nessus Agent directory
- Monitor for Nessus Agent service disruptions through Windows Event Log service control events (Event ID 7034, 7036)
- Establish baseline permissions for the Nessus Agent directory and alert on deviations
Monitoring Recommendations
- Enable detailed file system auditing on the Nessus Agent installation directory using Windows Advanced Audit Policy Configuration
- Configure alerting for repeated Nessus Agent service failures or restarts
- Monitor for agent check-in failures from the Tenable.io or Nessus Manager console
- Review local user access patterns to the Nessus Agent directory periodically
How to Mitigate CVE-2026-2026
Immediate Actions Required
- Review and verify the current permissions on the Nessus Agent installation directory using icacls
- Restrict directory permissions to only the SYSTEM account, local Administrators, and the Nessus Agent service account
- Update Nessus Agent to the patched version as specified in the Tenable Security Advisory
- Audit systems for any signs of exploitation or unauthorized file modifications
Patch Information
Tenable has released a security update to address this vulnerability. Organizations should update their Nessus Agent installations to the latest version as documented in the Tenable Security Advisory TNS-2026-05. The patch corrects the file permission assignments during installation and provides guidance for remediating existing installations.
Workarounds
- Manually correct the file permissions on the Nessus Agent directory to restrict access to authorized accounts only
- Implement host-based intrusion prevention rules to monitor and block unauthorized access to the Nessus Agent directory
- Consider using Group Policy to enforce proper file permissions on Nessus Agent directories across the enterprise
- Limit local user access on systems running Nessus Agent where possible
# Windows PowerShell - Review and correct Nessus Agent directory permissions
# Check current permissions
icacls "C:\Program Files\Tenable\Nessus Agent"
# Remove inherited permissions and set restrictive ACLs
icacls "C:\Program Files\Tenable\Nessus Agent" /inheritance:r
icacls "C:\Program Files\Tenable\Nessus Agent" /grant:r "SYSTEM:(OI)(CI)F"
icacls "C:\Program Files\Tenable\Nessus Agent" /grant:r "Administrators:(OI)(CI)F"
icacls "C:\Program Files\Tenable\Nessus Agent" /grant:r "NT SERVICE\Tenable Nessus Agent:(OI)(CI)RX"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
