Two Major Security Vendors Issue Patches for Serious Flaws
Both CrowdStrike and Tenable notified their customers this week of significant vulnerabilities that have been identified and remediated in their respective security products. The disclosures underscore a recurring reality in the cybersecurity industry: even the tools designed to protect organizations are not immune to software weaknesses.
CrowdStrike Addresses Critical Path Traversal in LogScale
CrowdStrike released a security advisory detailing CVE-2026-40050, a critical unauthenticated path traversal vulnerability affecting its LogScale product. The flaw is particularly concerning because it can be exploited by a remote attacker — without any authentication — to read arbitrary files directly from the server's filesystem.
CrowdStrike clarified that customers using its Next-Gen SIEM offering are not impacted by this vulnerability. Additionally, the company confirmed that the issue has already been mitigated for LogScale SaaS customers. However, organizations running LogScale Self-hosted deployments have been urged to update immediately to the patched version.
According to CrowdStrike, the vulnerability was discovered through internal security review processes. The company stated that a thorough examination of log data found no evidence of exploitation in the wild, offering some reassurance to customers who may have been exposed prior to patching.
Tenable Patches High-Severity Nessus Flaw on Windows
Tenable published two separate advisories on the same day, both addressing the same high-severity vulnerability affecting its widely used Nessus vulnerability scanner on Windows systems. The flaw is tracked as CVE-2026-33694.
The nature of this vulnerability is particularly dangerous. An attacker capable of exploiting it via junctions — a type of Windows filesystem link — could:
- Delete arbitrary files with System-level privileges
- Achieve arbitrary code execution with elevated privileges
The ability to execute arbitrary code with elevated privileges represents a severe risk to any Windows environment running the affected software, as it could allow a threat actor to completely compromise the host system.
Tenable issued the patches through two distinct advisories, one covering Nessus and another specifically for Nessus Agent, reflecting the fact that both components share the vulnerability and require separate remediation steps.
What Organizations Should Do
Customers of both vendors should act promptly given the severity ratings assigned to these vulnerabilities:
- CrowdStrike LogScale Self-hosted users should upgrade to the patched version referenced in CrowdStrike's official advisory as soon as possible.
- Tenable Nessus and Nessus Agent users on Windows should apply the available patches and consult both advisories to ensure full coverage across all deployed components.
While CrowdStrike's CVE-2026-40050 carries a critical severity rating, Tenable's CVE-2026-33694 is classified as high severity — both warrant immediate attention given the potential for remote file access or privileged code execution.
Broader Context
These disclosures arrive amid an active threat landscape in which security software itself has increasingly become a target. Path traversal vulnerabilities and privilege escalation flaws in widely deployed security platforms are particularly attractive to attackers because exploiting them can grant deep access to sensitive infrastructure that organizations specifically rely on for protection.
The fact that neither vendor has reported active exploitation at the time of disclosure is encouraging, but security teams should not wait for confirmed in-the-wild attacks before applying patches. Threat actors routinely analyze public CVE disclosures and can develop working exploits quickly once details become available.
Organizations are advised to monitor both CrowdStrike's and Tenable's official security advisory portals for the latest guidance and patched version numbers.
Source: SecurityWeek