SecurinZero Days
    Email Us
    Zero-Day Research/CVE-2022-28291
    ▲ MediumCVSS 6.5EPSS 0.00209%

    Sensitive Information Disclosure in Tenable Nessus Scanner

    Insufficiently Protected Credentials: An authenticated user with debug privileges can retrieve stored Nessus policy credentials from the nessusd process in cleartext via process dumping. The affected products are all versions of Nessus Essentials and Professional. The vulnerability allows an attacker to access credentials stored in Nessus scanners, potentially compromising its customers' network of assets.

    CVE IDCVE-2022-28291
    CVSS v3.16.5 Medium
    VendorTenable
    CWECWE-522
    DisclosedMay 2, 2022
    StatusPending Fix
    All advisories
    • 01Description
    • 02Proof of Concept
    • 03Impact
    • 04Remediation
    • 05Timeline
    • 06References
    01/Description

    What this actually is.

    Technical background, root cause, and affected surface.

    An authenticated user with debug privileges can retrieve stored Nessus policy credentials from the “nessusd” process in cleartext via process dumping. The affected products are all versions of Nessus Essentials and Professional. The vulnerability allows an attacker to access credentials stored in Nessus scanners, potentially compromising its customers’ network of assets.

    Vendor
    Tenable
    Affected Product
    Nessus Professional
    CVE
    CVE-2022-28291
    Securin ID
    -
    Status
    Pending Fix
    Date
    May 2, 2022
    Severity
    Medium
    CVSS Score
    6.5
    Vector
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
    CWE
    CWE-522
    02/Proof of Concept

    From one request
    to root shell.

    Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

    6.5CVSS 3.1
    VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
    ScopeUnchanged
    ImpactC:H / I:N / A:N
    SeverityMedium

    We tested the following vulnerability on Tenable’s Nessus Professional 10.1.1 (#61) Windows.

    PoC · Exploitation Steps▲ trigger
    01Figure 1: Creating the Nessus Policy with the Windows Credential Type02Figure 2: Creating the Process Dump of the “nessusd” Process03Figure 3: Created the Process Dump of the “nessusd” Process04Figure 4: Parsing the DMP File Using Strings and Extracting Credentials05Figure 5: The Nessus Policy-Stored Windows Credentials Retrieved in Cleartext
    03/Impact

    What an attacker does to you.

    Post-exploitation outcomes mapped to CVSS impact metrics.

    Medium

    An attacker can retrieve stored credentials in Nessus Policies in cleartext from the “nessusd” process.

    Medium

    An attacker can potentially compromise corresponding assets, internal domains, and networks with the retrieved credentials.

    High

    With disclosed credentials, an attacker can potentially compromise its associated assets and networks of an organization.

    04/Remediation

    Fix it. In this order.

    A runbook, not a checklist. Sequence matters — assume compromise before you act.

    01

    Encrypt data in memory so that the retrieval of information through process dumping will require decryption.

    N/A
    02

    Developers need to find a way to clear the memory location of the sensitive data to prevent persistent attacks on the main memory.

    N/A
    03

    Developers need to ensure the memory location cannot be accessed by other applications, i.e., attempts through another processes to read or write.

    N/A
    Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2022-28291, contact disclose@securin.io
    05/Disclosure Timeline

    Vendors moved in days.
    Attackers in hours.

    Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

    April 25, 2022

    Discovered in Nessus Professional version 10.1.1 (#61)

    May 02, 2022

    Reported to Tenable’s team

    June 02, 2022

    Tenable proposed a potential fix in Nessus 10.4 or in a later release.

    August 04, 2022

    Tenable has deemed the reported vulnerability as an acceptable risk.

    August 31, 2022:

    Tenable performed additional reviews and acknowledged there would be no fix for this issue.

    September 01, 2022

    Tenable has agreed to raise a CVE for this submission.

    October 18, 2022

    MITRE publishes CVE-2022-28291

    Disclosed 176 days after discovery

    06/References

    Cite, verify, go deeper.

    Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

    NVD

    NVD — CVE-2022-28291

    nvd.nist.gov/vuln/detail/CVE-2022-28291 →
    SEC

    Securin VI — Full Technical Analysis

    vi.securin.io →

    Let Securin level up your security posture.

    Get a live exposure assessment, threat-actor briefing tailored to your sector, and IoC mapping for your SIEM.

    Browse all advisories
    SecurinSecurinZero Days

    Securin's zero-day research operation combines frontier AI models with a decade of offensive expertise — discovering, validating, and coordinating the disclosure of high-impact vulnerabilities at a scale and speed no human team achieves alone.

    Glossary
    © 2026 Securin Inc · CVE Numbering Authority
    Privacy Policy·Data Processing Addendum