Automated remediation scripts mapped to Tenable Nessus plugin IDs and CVEs — enabling rapid, repeatable vulnerability remediation at scale using PowerShell and Bash.
Build a library of tested, production-ready remediation scripts that map directly to Tenable Nessus scan findings. Each script targets specific plugin IDs and CVEs, allowing security teams to move from scan results to automated remediation without manual intervention.
| Tenable Plugin ID | CVE(s) | Vulnerability | Script | Language |
|---|---|---|---|---|
| 20007, 104743, 157288 | CVE-2014-3566 (POODLE), CVE-2021-23839, CVE-2011-3389 (BEAST) | Deprecated SSL/TLS Protocol & Cipher Suite Detection | toggle-protocols.ps1 | PowerShell |
| 42263 | N/A | Telnet Service Detection (Cleartext Authentication) | remediation-Telnet-Remove.sh | Bash |
| 96982 | CVE-2017-0144 (EternalBlue) | SMBv1 Protocol Enabled | remediation-SMBv1-Disable.ps1 | PowerShell |
| 18405, 30218 | CVE-2019-0708 (BlueKeep) | RDP Misconfiguration / Weak Encryption | remediation-RDP-Hardening.ps1 | PowerShell |
| 10413 | N/A | Guest Account Enabled / In Admin Group | remediation-GuestAccount-Disable.ps1 | PowerShell |
| 105181 | CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 | Spectre/Meltdown Mitigations Missing | remediation-Spectre-Meltdown.ps1 | PowerShell |
| 90317 | N/A | WinRM Unencrypted HTTP Enabled | remediation-WinRM-Hardening.sh | Bash |
File: scripts/powershell-template.ps1
What it does:
- Disables SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 (server and client)
- Enables TLS 1.2 (server and client)
- Includes a toggle variable (
$makeSecure) for secure/insecure states — useful for lab environments - Requires Administrator privileges with validation check
Tested on:
- Windows Server 2019 Datacenter (Build 1809)
- Windows 10 Pro (Build 22H2)
- PowerShell 5.1
Usage:
# Run as Administrator
.\toggle-protocols.ps1File: scripts/remediation-Telnet-Remove.sh
What it does:
- Stops and disables the
inetdservice - Purges
telnetdandinetutils-inetdpackages - Cleans up unused dependencies
Tested on:
- Ubuntu 20.04 LTS
Usage:
wget https://raw.githubusercontent.com/murpheelee/programmatic-vulnerability-remediations/main/scripts/remediation-Telnet-Remove.sh
chmod +x remediation-Telnet-Remove.sh
sudo ./remediation-Telnet-Remove.shNessus Scan Results → Identify Plugin ID → Match to Remediation Script → Test in Lab → Deploy via Automation
- Scan — Run authenticated Nessus scans against target systems
- Map — Match scan findings to remediation scripts by Plugin ID
- Test — Execute scripts in isolated lab environment
- Deploy — Push to production systems via automation tooling
- Verify — Re-scan to confirm remediation success
To add a new remediation script:
- Identify the Tenable Plugin ID and associated CVEs
- Write a script following the existing template structure (header comments, tested-on metadata)
- Test on at least one target system
- Add the entry to the Remediation Index table above