Critical Nessus Vulnerability CVE-2025-36630 Allows SYSTEM File Overwrites on Windows | Patch Now

What’s the Issue?

Tenable has disclosed critical security flaws in its popular vulnerability scanner, Nessus, that affect all versions prior to 10.8.5. These vulnerabilities, especially the high-severity CVE-2025-36630, could allow non-admin attackers to escalate privileges to SYSTEM level by overwriting local files on Windows systems. The flaws stem from improper handling of log file content and vulnerabilities in key third-party libraries like libxml2 and libxslt.

Key Highlights

• CVE-2025-36630 enables local privilege escalation to SYSTEM level (CVSS: 8.4).

• Affects Nessus versions below 10.8.5 on Windows.

  
  

• Additional flaws: CVE-2025-6021 (libxml2) and CVE-2025-24855 (libxslt).

• Fix available: Update to Nessus 10.8.5 or newer.

Understanding the Core Vulnerability (CVE-2025-36630)

What is it?

A local privilege escalation vulnerability that allows low-privileged users to overwrite arbitrary files on a Windows system, potentially leading to full SYSTEM access.

How does it work?

Attackers use specially crafted log content to overwrite critical files. This happens because Nessus failed to validate file write operations securely, allowing users to manipulate file paths or locations through logging features.

Why is it critical?

Once SYSTEM privileges are gained, an attacker can:

• Install persistent malware

• Tamper with system configurations

• Access or destroy sensitive files

• Disable defenses and cover tracks

Third-Party Library Vulnerabilities

In addition to the main Nessus vulnerability, two more CVEs were disclosed:

Both components have now been updated and patched in Nessus version 10.8.5.

Real-World Impact and Exploitation

Even though this is a local vulnerability, it's extremely dangerous in environments where Nessus agents are deployed widely.

Potential attack scenarios:

• Red Team operators using this for post-exploitation privilege escalation.

• Malware leveraging it to disable endpoint protection tools.

• Insider threats exploiting this flaw to bypass standard user limitations.

The attack does not require user interaction, and the complexity is low, making it attractive for attackers.

Who Discovered It?

The vulnerability was responsibly disclosed by Rishad Sheikh, who notified Tenable on May 10, 2025. Tenable responded promptly and rolled out a fix in about two months.

Mitigation and Patch Guidelines

✅ Immediate Action Required:

• Upgrade Nessus to version 10.8.5 or 10.9.0

• Available on the Tenable Downloads Portal

 Recommended Mitigation Steps:

• Verify current Nessus version

• Schedule updates in your next maintenance window

• Monitor systems for unauthorized changes

• Audit logs for suspicious file path activity

Why It Matters

Nessus is a security tool — any vulnerability in it defeats its purpose. A compromised scanner becomes an attack surface instead of a defense layer.

This issue highlights:

• The importance of secure logging practices

• Risks of third-party component flaws

• Need for regular patch audits and version checks

Conclusion

While Tenable responded swiftly, organizations using Nessus must recognize that even security tools are not immune to being exploited. In an age where cyberattacks are more sophisticated than ever, applying updates like these is not optional — it’s essential.

Stay Ahead of Vulnerabilities

Make it a part of your cyber hygiene routine to:

• Monitor CVEs related to your security stack.

• Subscribe to vendor security bulletins.

• Set automated patch deployment schedules.

• Perform vulnerability scans on security tools themselves.

FAQs 

What is CVE-2025-36630 in Nessus?

CVE-2025-36630 is a Windows-specific vulnerability in Nessus that allows low-privileged users to overwrite local system files, leading to SYSTEM-level privilege escalation.

Which Nessus versions are affected by this vulnerability?

All Nessus versions prior to 10.8.5 are vulnerable to CVE-2025-36630 and related third-party component flaws.

How can attackers exploit CVE-2025-36630?

Attackers can craft malicious log content to overwrite arbitrary files, escalating privileges from a standard user to SYSTEM.

What is the severity score of CVE-2025-36630?

This vulnerability has a CVSS v3.1 base score of 8.4, indicating high severity.

Has Tenable released a patch for this vulnerability?

Yes, patches are available in Nessus versions 10.8.5 and 10.9.0 via the Tenable Downloads Portal.

Are there other vulnerabilities addressed in the latest update?

Yes, vulnerabilities in libxml2 (CVE-2025-6021) and libxslt (CVE-2025-24855) were also fixed in this update.

What is the impact of CVE-2025-6021?

It allows denial-of-service attacks via the XML parser used by Nessus, with a CVSS score of 6.5.

What is CVE-2025-24855 in libxslt?

CVE-2025-24855 is a flaw in the XSLT processor that could lead to file corruption or overwrite, scoring 7.8 on the CVSS scale.

What is the suggested mitigation for these Nessus vulnerabilities?

Upgrade immediately to Nessus 10.8.5 or 10.9.0 and verify all installations for vulnerable versions.

How does CVE-2025-36630 enable privilege escalation?

It lets users write malicious data to sensitive files typically restricted to SYSTEM-level users.

What platforms are affected by this vulnerability?

This flaw affects Nessus installations on Windows systems only.

Does this require administrative access to exploit?

No, exploitation is possible with low-privileged access and no user interaction.

What is the scope of the CVE-2025-36630 attack?

The scope is “changed,” meaning it allows a privilege escalation beyond the original user context.

Who discovered CVE-2025-36630?

It was discovered by Rishad Sheikh, a security researcher, and reported to Tenable in May 2025.

Is there any known exploit in the wild?

As of now, no public exploit has been reported, but exploitation is feasible.

How long does it take to exploit this vulnerability?

The attack is of low complexity and can be performed quickly by skilled attackers.

Can this vulnerability be remotely exploited?

No, CVE-2025-36630 requires local access to the affected system.

What are the risks of not patching Nessus?

Unpatched systems could be exploited to gain SYSTEM access, leading to full compromise.

How do I check my Nessus version?

Log in to Nessus, go to Settings > About, and check the current version number.

Is Tenable Agent affected by this vulnerability?

The advisory specifically targets the Nessus scanner; agents may require verification.

Is there a workaround if I can’t patch immediately?

No official workaround is suggested; immediate patching is the only effective mitigation.

What are the steps to upgrade Nessus?

Download the latest installer from Tenable, stop the service, install the update, and restart the service.

Can Nessus vulnerabilities be used in chained attacks?

Yes, privilege escalation flaws like this can serve as part of a larger attack chain.

Are other Tenable products affected?

No, this advisory is limited to Nessus for Windows.

Where can I find Tenable's security advisory?

You can access it from the Tenable Security Advisories page.

Should I notify my security team?

Yes, all Nessus users should be alerted and update immediately.

Is Linux or macOS Nessus affected?

No, this vulnerability is specific to the Windows version of Nessus.

Does the update require system reboot?

No reboot is required, but restarting Nessus service is necessary.

How often should Nessus be updated?

Tenable recommends updating Nessus as soon as a new version or security patch is released.

Can this vulnerability affect compliance scans?

Yes, if Nessus is compromised, scan integrity and reporting may be affected.

Will Nessus notify users of new CVEs?

Yes, Nessus updates often include built-in CVE detection and advisory updates.