- 169/2025
- High
Tenable has released security updates to address several vulnerabilities across Tenable Patch Management and third-party components (sqlite, ua-parser-js, libxml2, libxslt, Erlang OTP, Curl, nodeJS, and .NET) that are used by multiple Tenable products.
The addressed vulnerabilities could allow the attacker to perform denial-of-service attacks, conduct man-in-the-middle and spoofing attacks, manipulate data, gain elevated privileges, or traverse directories on the affected system.
Sample of addressed vulnerabilities:
1. Tenable Agent Privilege Escalation Vulnerability (CVE-2025-36633):
- CVSS: 8.8
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Gain Privilege
2. Tenable Patch Management SQL injection Vulnerability (CVE-2025-8096):
- CVSS: 8.6
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Data Manipulation
The Affected Products:
- Tenable Patch Management 9.2.967.22 and earlier.
- Tenable Identity Exposure 3.77.11 and earlier.
- Nessus 10.8.4 and earlier.
- Tenable Security Center versions 6.4.0, 6.4.5, 6.5.1.
- Nessus Agent 10.8.4 and earlier.
Vulnerabilities
- CVE-2025-36632
- CVE-2025-36633
- CVE-2022-25927
- CVE-2025-29087
- CVE-2025-3277
- CVE-2025-6021
- CVE-2025-24855
- CVE-2025-36630
- CVE-2025-4748
- CVE-2025-4947
- CVE-2025-5025
- CVE-2025-5399
- CVE-2025-23167
- CVE-2025-30399
- CVE-2025-8096
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.