Tenable Research Release Highlights

Forum Discussion

Harry_NINT's avatar
Harry_NINT
Product Team
20 days ago

CyberArk PVWA Credentials from CCP

Summary

Tenable is proud to announce an enhancement to credentialed scanning using CyberArk Auto-Discovery. Specifically, as it relates to how customers can manage Password Vault Web Access (PVWA) credentials in the CyberArk Vault, and fetch them from the Central Credential Provider (CCP).

When using CyberArk Auto-Discovery, the scanner accesses the Password Vault Web Access (PVWA) API to enumerate accounts to be dynamically added as targets to the scan, and the scanner uses a username and password to authenticate to this API. This new feature offers the ability to store the username and password combination in CyberArk itself, eliminating the need to manually manage these credentials.

New Feature

The feature adds a new drop-down menu, named “PVWA REST API Authentication Type”, which has two options, “Username and Password” and “Gather from CCP”. “Username and Password” is the default and previous behavior of manually entering the PVWA username and password. “Gather from CCP” provides the ability to gather these values from the vault, by instead providing the Account Name (unique credential identifier) of the account containing PVWA credentials.

Please note that this change only affects configurations using CyberArk Auto-Discovery as a Windows, Database or SSH authentication method, because these are the only integrations that interface with the PVWA. The following other integrations are unaffected by this change:

  • CyberArk (without auto-discovery)
  • CyberArk Secrets Manager
  • CyberArk (Legacy)

 

Additionally, this change requires a minimum Nessus scanner version of 10.10. Attempting to use this feature with an older Nessus version will fail with an error in the debugging log report which reads: Please note that fetching PVWA creds from the Central Credential Provider requires Nessus scanner version 10.10 or later.

For more information, please refer to the CyberArk integrations documentation: https://docs.tenable.com/Integrations.htm

Impact

There is no change necessary for customer configurations. Customers with existing Auto-Discovery credentials will continue to use username and password authentication, but will have the option to try the new feature by selecting “Gather from CCP”.

Release Date

April 1st 2026 for T.VM and Nessus, TDB for T.SC

 

No RepliesBe the first to reply