A command injection flaw exists in Tenable Security Center that permits an authenticated, remote attacker to execute arbitrary code on the host server. The vulnerability is rated with a CVSS score of 7.4 and is classified as CWE‑78, meaning attackers can inject operating‑system commands and take control of the system. Such exploitation would allow full compromise of the security center instance and any data or services exposed on the underlying server.

The affected systems are Tenable Security Center platforms. Tenable identified patches for popular releases, including versions 6.5.1, 6.6.0, and 6.7.2. Users operating any of these versions should verify the presence of the security updates SC‑202602.1 and SC‑202602.2 before applying the fix.

The risk rating is high (CVSS 7.4) but the EPSS probability is below 1 %. The CVE description indicates that an authenticated, remote attacker can execute arbitrary code on the host server. The specific authentication mechanism or interface (e.g., web UI or API) is not detailed, so it is not explicitly stated how the attacker gains the required access. The vulnerability is a command injection flaw (CWE‑78) that, if exploited, would allow execution of operating‑system commands on the underlying system. The vulnerability is not listed in the CISA KEV catalog. The exploit would need a path from an authenticated session to the vulnerable command handler, but the exact details are not disclosed in the description.