CVE-2022-28291

MEDIUM

Tenable Nessus - Insufficiently Protected Credentials

Title source: rule

Description

Insufficiently Protected Credentials: An authenticated user with debug privileges can retrieve stored Nessus policy credentials from the “nessusd” process in cleartext via process dumping. The affected products are all versions of Nessus Essentials and Professional. The vulnerability allows an attacker to access credentials stored in Nessus scanners, potentially compromising its customers’ network of assets.

References (1)

[Exploit, Third Party Advisory] https://cybersecurityworks.com/blog/zero-days/csw-expert-discovers-a-zero-day-vulnerability-in-tenables-nessus-scanner.html

Scores

CVSS v3 6.5

EPSS 0.0027

EPSS Percentile 50.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-522

Status published

Affected Products (1)

tenable/nessus

Timeline

Published Oct 17, 2022

Tracked Since Feb 18, 2026