Your Security Tools Are the Vulnerability: Critical CrowdStrike LogScale (CVE-2026-40050) and High-Severity Tenable Nessus (CVE-2026-33694) Patches

Introduction

In a single 24-hour window, two vendors that sell vulnerability management and log analytics to virtually every Fortune 500 SOC pushed advisories for serious flaws in their own products. CrowdStrike disclosed CVE-2026-40050, a CVSS 9.1–9.8 unauthenticated path traversal in self-hosted LogScale that lets a remote attacker read arbitrary files from the server. Tenable disclosed CVE-2026-33694, a high-severity arbitrary code execution flaw in Nessus and Nessus Agent on Windows that allows authenticated attackers to elevate to SYSTEM via NTFS junctions. Both products are usually deployed with privileged access to your environment. If they're not patched, they're a direct path from a low-privileged foothold to total compromise.

What Happened

CrowdStrike Falcon LogScale — CVE-2026-40050

CrowdStrike disclosed an unauthenticated path traversal in self-hosted LogScale (the log analytics product previously known as Humio, and the storage layer behind some CrowdStrike Next-Gen SIEM deployments). A specific cluster API endpoint, when reachable, lets a remote attacker traverse the filesystem and read arbitrary files — TLS certificates, credential files, configuration secrets, and the LogScale data store itself.

The flaw chains two CWEs: CWE-306 (missing authentication for a critical function) and CWE-22 (improper limitation of a pathname). The advisory rates it CVSS 9.1 in CrowdStrike's own scoring; runZero and other independent trackers have published a 9.8 version of the score.

Affected versions:

LogScale Self-Hosted (GA): 1.224.0 through 1.234.0 (inclusive)
LogScale Self-Hosted (LTS): 1.228.0 and 1.228.1

Patched versions: 1.235.1, 1.234.1, 1.233.1, or 1.228.2 (LTS).

CrowdStrike's SaaS LogScale customers were already protected by a network-layer block deployed across all clusters on April 7, 2026. Next-Gen SIEM customers on the new platform are unaffected. The flaw was discovered internally and CrowdStrike says a review of log data shows no exploitation in the wild — yet. Self-hosted customers need to act fast: a public CVSS 9.1 path-traversal-without-auth on an internet-aware service is the kind of bug that gets a working exploit within days.

Tenable Nessus / Nessus Agent on Windows — CVE-2026-33694

Tenable shipped two advisories (TNS-2026-12 and TNS-2026-13) for the same underlying flaw in Nessus 10.11.3 and earlier and Nessus Agent 11.1.2 and earlier on Windows. Italy's National Cybersecurity Agency (ACN) issued AL03/260424/CSIRT-ITA the same day to push the patches into European critical-infrastructure operators.

The flaw is a junction-based file-deletion → arbitrary-code-execution chain. An authenticated local attacker creates an NTFS junction pointing from a directory Nessus writes to (logs, scan output, plugin cache) to a privileged target, triggers a Nessus operation that performs a delete or move, and Nessus — running as LocalSystem — wipes or replaces the target file. From there, classic DLL hijacking or Service binary swap yields SYSTEM execution.

Patched versions:

Nessus 10.11.4 or later (Windows)
Nessus Agent 11.1.3 or later (Windows)

The class of bug — junction-based privilege escalation — is well-trodden, and PoCs for the broader pattern exist publicly. Tenable hasn't reported in-the-wild exploitation, but Nessus is exactly the kind of tool an attacker who has lateral access wants to abuse: it has SYSTEM privileges, sits on every Windows server in a typical scan fleet, and is rarely scanned itself.

Why It Matters

Security tooling is the highest-trust software in any environment. LogScale ingests every log line from every host you care about; Nessus has credentialed access to scan everything. When the tooling itself contains pre-auth or near-pre-auth privilege-escalation flaws, an attacker who finds the security stack on the internal network is one step from owning the kingdom. The CrowdStrike flaw is more dangerous in absolute terms (no auth required), but the Tenable flaw is the one that would turn a routine workstation compromise into a domain-wide breach if Nessus Agent is deployed widely.

There's a second-order point worth flagging: both vendors found these bugs internally, on their own products, before adversaries did. That's the supply-chain hygiene defenders should expect — but it only works if customers patch quickly. The window between disclosure and exploitation for path-traversal-class flaws is now measured in days, not months.

Who Is Affected

CrowdStrike LogScale Self-Hosted, GA versions 1.224.0–1.234.0 and LTS 1.228.0/1.228.1
Any organization that exposes the LogScale cluster API endpoint to non-trusted network segments
Tenable Nessus ≤ 10.11.3 on Windows
Tenable Nessus Agent ≤ 11.1.2 on Windows
Especially: SOCs running Nessus Agent on every endpoint as part of compliance scanning — every agent host is now a junction-attack target

CrowdStrike LogScale SaaS, Next-Gen SIEM, and Linux/macOS-only Nessus deployments are not affected by these specific CVEs.

How to Protect Yourself

CrowdStrike LogScale (CVE-2026-40050)

Upgrade now:

# Verify your current version
curl -s -k https://your-logscale-host/api/v1/version | jq .

# Containerized deployment
docker pull humio/humio-core:1.235.1
# or LTS
docker pull humio/humio-core:1.228.2

# Bare-metal RPM/DEB — check vendor docs
sudo systemctl stop humio
# install new package
sudo systemctl start humio
sudo systemctl status humio
curl -s -k https://your-logscale-host/api/v1/version | jq .

Find vulnerable instances on your network (runZero published a query that maps to any HTTP banner-detected Humio):

_asset.protocol:http AND protocol:http AND (http.head.server:="Humio-%" OR last.http.head.server:="Humio-%")

Or with a quick scan:

nmap -p 80,443,8080 --script http-headers <your-internal-cidr> 2>/dev/null | \
    grep -E "Server: Humio"

Compensating control until patched — block the cluster API endpoint at your ingress proxy and restrict to known operator IPs:

location ~ ^/api/v1/clusters/ {
    allow 10.10.10.0/24;   # SOC subnet
    deny all;
}

Hunt for prior abuse. Search LogScale audit logs and your reverse proxy logs for unusual GET requests with .. sequences against the cluster endpoint:

grep -E "GET /api/v1/clusters/.*\.\." /var/log/nginx/access.log
grep -E "GET /api/v[0-9]+/.*(/etc/|/root/|\\.\\./)" /var/log/logscale/*.log

Tenable Nessus / Nessus Agent (CVE-2026-33694)

Upgrade now:

# Check installed version
Get-WmiObject Win32_Product -Filter "Name LIKE 'Nessus%'" | Select-Object Name, Version

# Or via service path
Get-ItemProperty "HKLM:\SOFTWARE\Tenable\Nessus" | Select-Object -Property *Version*

# After download from Tenable Downloads → install silently
msiexec /i Nessus-10.11.4-x64.msi /qn /l*v nessus_install.log
msiexec /i NessusAgent-11.1.3-x64.msi /qn /l*v nessus_agent_install.log

Compensating control until patched. Tighten ACLs on Nessus directories so only NT AUTHORITY\SYSTEM and Tenable service accounts can write:

$path = "C:\ProgramData\Tenable\Nessus"
icacls $path /inheritance:r
icacls $path /grant:r "NT AUTHORITY\SYSTEM:(OI)(CI)F" "BUILTIN\Administrators:(OI)(CI)F"
icacls $path /remove "BUILTIN\Users" "Authenticated Users"

Hunt for junction abuse. PowerShell can enumerate junctions across the typical Nessus paths:

Get-ChildItem -Path "C:\ProgramData\Tenable","C:\Program Files\Tenable" -Recurse -Force -ErrorAction SilentlyContinue |
    Where-Object { $_.LinkType -eq 'Junction' -or $_.Attributes -match 'ReparsePoint' } |
    Select-Object FullName, LinkType, Target

Any reparse point inside Nessus directories that points outside Nessus's own tree is suspicious.

Restrict who can write to ProgramData paths generally — junction-based escalations are a recurring Windows pattern. Tools like Microsoft's MitigationOptions policy and the RedirectionGuard feature in newer Windows builds harden this entire class of attacks.

Make this a workflow, not a one-time event

Add CrowdStrike Trust Center and Tenable Security Bulletins to the same automated tracker that consumes CISA KEV.
Treat a critical bug in your security stack as a P1 incident with the same SLA as a customer-impacting outage. Both CrowdStrike and Tenable found these flaws because they look; the rest of your stack deserves the same scrutiny.