Changeflow GovPing Data Privacy & Cybersecurity Arbitrary Code Execution Vulnerability in Nessu...
Urgent Guidance Added Final

Arbitrary Code Execution Vulnerability in Nessus, CVE-2026-33694

Favicon for ccb.belgium.be Belgium CCB News alt
Published
Detected
Email

Summary

The Centre for Cybersecurity Belgium published a critical security warning on 27 April 2026 for CVE-2026-33694, a vulnerability affecting Nessus Agent <= 11.1.2 and Nessus <= 10.11.3 on Windows systems. The flaw, rated CVSS 7.4, allows an authenticated attacker to delete arbitrary files with SYSTEM privileges and potentially execute arbitrary code with elevated privileges. The CCB strongly recommends installing updates with the highest priority after thorough testing, and advises organisations to upscale monitoring and detection capabilities to identify suspicious activity.

“The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.”

CCB , verbatim from source
Published by CCB on ccb.belgium.be . Detected, standardized, and enriched by GovPing. Review our methodology and editorial standards .

About this source

GovPing monitors Belgium CCB News alt for new data privacy & cybersecurity regulatory changes. Every update since tracking began is archived, classified, and available as free RSS or email alerts — 8 changes logged to date.

View original document View source feed page

What changed

CCB issued a security advisory disclosing CVE-2026-33694, an arbitrary code execution vulnerability in Tenable Nessus and Nessus Agent on Windows platforms running versions at or below 11.1.2 and 10.11.3 respectively. The vulnerability carries a CVSS 4.0 score of 7.4 (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H) and enables authenticated attackers to delete arbitrary files with SYSTEM privileges, potentially facilitating arbitrary code execution at elevated privilege levels.

Organisations running affected Nessus deployments on Windows must treat this as a priority patching event. While the application is typically not publicly exposed, local or network access sufficient to exploit the flaw can lead to full system compromise with high impact on confidentiality, integrity, and availability. CCB recommends immediate patching after thorough testing and enhanced monitoring for signs of exploitation.

What to do next

  1. Patch vulnerable Nessus installations to the latest version immediately after testing
  2. Upscale monitoring and detection capabilities to identify suspicious activity related to this vulnerability
  3. Report any intrusion to CCB via the incident reporting portal

Archived snapshot

Apr 28, 2026

GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.

Warning: Arbitrary code execution vulnerability in Nessus can be exploited to elevate privileges, Patch Immediately!

Image

Published : 27/04/2026

  • Last update: 27/04/2026
  • Affected software: → Nessus Agent <= 11.1.2 → Nessus <= 10.11.3
  • Type: Arbitrary code execution, deletion of arbitrary files
  • CVE/CVSS → CVE-2026-33694: CVSS 7.4 (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P) →

Sources

Tenable security advisory - https://www.tenable.com/security/tns-2026-12
Tenable security advisory - https://www.tenable.com/security/tns-2026-13

Risks

Nessus running on a Windows system can be vulnerable to the deletion of arbitrary files with the highest privileges. This condition can allow attackers to potentially facilitate arbitrary code execution with elevated privileges, resulting in malicious code being executed. The Nessus application is typically not publicly exposed so an attacker would need local (network) access to exploit this vulnerability. Attackers can target these vulnerable systems to escalate their privileges and further attack other internal systems. A full compromise can have a high impact on the confidentiality, integrity, and availability of the system.

Description

CVE-2026-33694 is a vulnerability in the Nessus applications on Windows including the Nessus Agent, where an attacker can enable the deletion of arbitrary files with SYSTEM privileges. This condition could potentiality facilitate arbitrary code execution on the affected system with SYSTEM privileges.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.

References

NIST NVD - https://nvd.nist.gov/vuln/detail/CVE-2026-33694

Parties

Tenable

Related changes

Favicon for ccb.belgium.be Critical Arbitrary Code Execution Vulnerability CVE-2026-41635 in Apache MINA
Urgent Apr 28, 2026 Belgium CCB News alt Data Privacy & Cybersecurity
Favicon for www.csirt.gov.it Juniper Networks Fixes High Severity Junos OS Arbitrary Code Execution Vulnerability
Priority review Apr 25, 2026 Italy CSIRT Advisories Data Privacy & Cybersecurity
Favicon for www.famhp.be Beware of Confusion Between Lookalike Medicine Vials
Routine Apr 27, 2026 Belgium FAMHP News Healthcare & Life Sciences

Get daily alerts for Belgium CCB News alt

Daily digest delivered to your inbox.

Free. Unsubscribe anytime.

Source

Favicon for ccb.belgium.be
Belgium CCB News alt ccb.belgium.be/en
Data Privacy & Cybersecurity

About this page

What is GovPing?

Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission

What's from the agency?

Source document text, dates, docket IDs, and authority are extracted directly from CCB.

What's AI-generated?

The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.

Last updated

Press inquiries →

Classification

Agency
CCB
Published
April 27th, 2026
Instrument
Guidance
Branch
Executive
Legal weight
Non-binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Technology companies Government agencies Organizations
Industry sector
5112 Software & Technology
Activity scope
Vulnerability patching Security monitoring Incident reporting
Geographic scope
Belgium BE

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Compliance frameworks
NIST CSF
Topics
Data Privacy Consumer Protection

Browse Categories

Agriculture & Food Safety 84 AI Regulation 1 Banking & Finance 505 Consumer Protection 140 Courts & Legal 629 Data Privacy & Cybersecurity 150 Defense & National Security 52 Education 63 Energy 135 Environment 168 Gaming 1 Government & Legislation 521 Healthcare 6 Healthcare & Life Sciences 406 Immigration 11 Insurance 90 Labor & Employment 195 Pharma & Drug Safety 17 Professional Licensing 4 Real Estate & Housing 76 Securities & Markets 177 Tax 116 Telecom & Technology 58 Trade & Sanctions 164 Transportation 131

Get alerts for this source

We'll email you when Belgium CCB News alt publishes new changes.

Free. Unsubscribe anytime.

You're subscribed!