Critical Privilege Escalation Flaw in Tenable’s Nessus Agent for Windows Exposes Systems to Full Takeover A newly disclosed vulnerability in Tenable’s Nessus Agent for Windows allows attackers to execute malicious code with SYSTEM-level privileges, the highest access level in Windows, posing a severe risk to enterprise security. The flaw, classified as a symlink (junction) attack, enables threat actors with local access to manipulate the agent’s file operations, leading to arbitrary file deletion and, ultimately, full arbitrary code execution. ### How the Exploit Works The vulnerability exploits a privilege escalation weakness in the Nessus Agent service. By creating a malicious Windows junction a symbolic link that redirects file operations an attacker can trick the agent into deleting critical system files. Once the operating environment is corrupted, the attacker can deploy a malicious payload that executes with SYSTEM privileges, granting unrestricted control over the machine. This includes the ability to install rootkits, disable security tools, and persist across reboots. ### Impact and Risk The flaw affects Nessus Agent installations on Windows, particularly in enterprise environments where the agent is deployed for continuous vulnerability scanning. Since Nessus Agents are often installed on high-value servers and workstations, successful exploitation could lead to catastrophic security breaches, including lateral movement within networks and compromise of sensitive systems. ### Patch and Mitigation Tenable has released Nessus Agent version 11.1.3, which addresses the vulnerability. The company urges all users to upgrade immediately, emphasizing that timely patching is critical to reducing exposure. The fix follows responsible disclosure practices, with Tenable maintaining active collaboration with security researchers to ensure rapid vulnerability resolution. Security teams are advised to prioritize this update, especially in environments where Nessus Agents run on internet-facing or high-value Windows systems.

LevelBlue Expands Tenable Partnership to Offer Unlimited Vulnerability Scanning at No Extra Cost LevelBlue has deepened its collaboration with Tenable, now providing unlimited enterprise-grade vulnerability scanning for all customers using its Unified Security Management (USM) platform—without additional fees. The move aims to address a persistent challenge in vulnerability management: not the lack of scanning, but the ability to act on findings effectively. While unlimited scanning increases visibility, the real shift lies in prioritization, remediation, and operational execution. The USM platform enhances raw scan data with advanced filtering, categorization, and risk-based prioritization, helping teams focus on critical vulnerabilities. Automated executive reporting also tracks risk posture over time, aiding compliance and leadership oversight. For organizations requiring broader coverage—such as attack surface monitoring (ASM), OT, web applications, or dark web exposure—LevelBlue offers a seamless upgrade to its fully managed vulnerability program. Since the scanner is pre-configured, migration involves only a license change, reducing operational friction. Customers retain flexibility: they can keep existing Tenable licenses (via bi-directional integration with Tenable One or Security Center) or consolidate under the embedded USM scanner, simplifying vendor management and potentially lowering costs. Managed delivery options further streamline operations, allowing LevelBlue to handle Tenable instances while maintaining client visibility. The integration also reshapes how MSSPs and partners package vulnerability services. By embedding enterprise-grade scanning at no extra cost, LevelBlue shifts scanning from a premium add-on to a baseline capability. This approach contrasts with competitors who treat vulnerability scanning as an incremental expense, instead positioning it as part of a unified security stack. Beyond scanning, the update emphasizes exposure management—correlating Tenable findings with live detections, contextual prioritization, and end-to-end remediation tracking. The result is a continuous, actionable view of risk, moving beyond static reports to real-time reduction of exposure. For security teams and service providers, the change signals a broader industry trend: reducing tool sprawl while improving outcomes through tighter integration between vulnerability data and security operations.

The Salesloft-Drift OAuth incident involved attackers stealing OAuth tokens from Salesloft’s development platform, exploiting them to access customer data across integrated applications like Salesforce and Google Workspace. The breach, executed by the threat group UNC6395, leveraged voice phishing (vishing) to trick administrators into authorizing malicious apps, bypassing multi-factor authentication (MFA). Over 700 organizations were impacted as the compromised tokens enabled attackers to exfiltrate sensitive customer information, leading to widespread revocation of Drift integrations. The incident exposed systemic risks in SaaS supply chains, where trusted third-party integrations became attack vectors, enabling potential data theft, cloud credential abuse, outages, or ransomware. Beyond immediate data exposure, the breach triggered forensic investigations, regulatory fines, lawsuits, reputational damage, and operational disruptions, highlighting the cascading risks of N-th degree vendor dependencies in modern cybersecurity ecosystems.

Tenable, a vulnerability assessment firm, was impacted by the SalesDrift supply chain attack targeting Salesforce customer data. An unauthorized user exploited stolen OAuth authentication tokens linked to the Salesloft Drift third-party application (integrated with Salesforce) to gain access to a portion of Tenable’s Salesforce instance.The compromised data included customer support case details (subject lines, initial descriptions) and business contact information (names, email addresses, phone numbers, and location references). While Tenable confirmed no misuse of the stolen data and stated its products and internal systems remained unaffected, the breach exposed sensitive customer interaction records and corporate contact details.Tenable responded by disabling Salesloft Drift, revoking integrations, rotating credentials, and hardening its Salesforce environment. The incident highlights risks in third-party supply chain vulnerabilities, where attackers leverage trusted vendor access to infiltrate enterprise systems. Though no direct financial or operational harm was reported, the exposure of customer support metadata and business contacts poses reputational and phishing risks.