Recent security assessments have uncovered two significant vulnerabilities in Tenable Network Monitor, a tool widely used for passive network traffic analysis. These flaws, identified as CVE-2025-24916 and CVE-2025-24917, pose serious risks by enabling local privilege escalation on Windows systems.
Understanding the Vulnerabilities
CVE-2025-24916 affects installations of Tenable Network Monitor on Windows systems where the software is deployed to non-default directories. In such cases, versions prior to 6.5.1 fail to enforce secure permissions for sub-directories. This oversight allows local attackers to exploit improper access controls (CWE-284), potentially escalating their privileges within the system.
CVE-2025-24917 presents a more severe threat. It permits non-administrative users to place malicious files in local directories and execute arbitrary code with SYSTEM privileges. This vulnerability enables attackers to escalate from low-privileged user accounts to full system control, compromising the entire Windows host. The attack requires local access but no user interaction, making it particularly dangerous in shared environments.
Technical Details and Impact
The vulnerabilities have been assigned high severity ratings, with CVSS scores of 7.0 for CVE-2025-24916 and 7.8 for CVE-2025-24917. The table below summarizes the affected products, impact, prerequisites, and CVSS scores:
| CVE Identifier | Affected Products | Impact | Exploit Prerequisites | CVSS 3.1 Score |
|—————-|——————-|——–|———————–|—————-|
| CVE-2025-24916 | Tenable Network Monitor <6.5.1 on Windows hosts with non-default installations | Local privilege escalation | Local access, installation to non-default directory without manual permission fixes | 7.0 (High) |
| CVE-2025-24917 | Tenable Network Monitor <6.5.1 on Windows hosts | Arbitrary code execution with SYSTEM privileges | Local access, ability to write files to unsecured application directories | 7.8 (High) |
Third-Party Component Updates
In addition to addressing these vulnerabilities, Tenable Network Monitor version 6.5.1 includes updates to several third-party libraries to mitigate known security issues. The updated components are:
- OpenSSL version 3.0.16
- expat 2.7.0
- curl 8.12.0
- libpcap 1.10.5
- libxml2 2.13.8
These updates are crucial for maintaining the integrity of Tenable Network Monitor's deep packet inspection capabilities, which are essential for passive vulnerability detection.
Recommendations for Users
Tenable strongly advises all organizations using Tenable Network Monitor on Windows platforms to upgrade to version 6.5.1 immediately. The updated installation files are available through the Tenable Downloads Portal.
Administrators should ensure that proper Access Control Lists (ACLs) are enforced on all installation directories, especially when the software is installed in non-default locations. This practice is vital to prevent unauthorized access and potential exploitation of system vulnerabilities.
Conclusion
The discovery of CVE-2025-24916 and CVE-2025-24917 underscores the importance of regular software updates and vigilant security practices. By promptly upgrading to Tenable Network Monitor version 6.5.1 and adhering to recommended security measures, organizations can safeguard their systems against these critical vulnerabilities.
