Summary

In this Release Highlight, Tenable Research is officially introducing Potential Vulnerabilities. A potential vulnerability is a finding that has a lower degree of certainty as to whether the assessed application is or is not vulnerable.

The family of Potential Vulnerabilities consists of six categories: Backported, Managed, Component, Configuration Checks, Low Fidelity Checks and Incomplete or Unknown Version.

The vulnerable findings surfaced by detection plugins will be tagged and reported appropriately to distinguish potential vulnerabilities from regular findings, while indicating which Potential Vulnerabilities category(ies) they correspond to.

Potential vulnerabilities for Component installations are shown in scan results by default, but can be hidden by disabling the relevant scan setting. To modify this setting in your scan policy, go to Settings > Assessment > Accuracy > Override Normal Accuracy > Assess component installs for potential vulnerabilities. Please refer to this article for more information on Component scanning.

The visibility of potential vulnerabilities for Backported and Managed installations remains unchanged and will continue to rely on the scan’s paranoid status. Please refer to this article for more information on Paranoia scan settings.

Overview

At this time, Tenable Research has identified six cases that lead to vulnerability findings with a reduced degree of certainty. Each one serves as a potential vulnerability category:

Backported applications
Nessus often relies on applications’ banners to detect them remotely (i.e. without auth), but the practice of backporting makes application banners less reliable sources of information. A detected application’s backported banner may often advertise the same application version as a non-backported banner, with little to no indication of its backported nature. Nessus attempts to mark application banners as backported whenever possible and subsequent vulnerability checks against applications whose banners are deemed backported produce findings that are considered to have a reduced degree of certainty.

Managed applications
Detected application binaries on Linux systems are sometimes associated with packages that are distributed and managed by the Linux distro through the distro’s package manager. These binaries often carry different vulnerabilities and security fixes than their non-managed counterparts and even their counterparts managed by other distros. Nessus attempts to associate binaries to distro-managed packages and performs distro-specific vulnerability checks against any binaries that are found to have such an association. In an effort to provide the widest vulnerability coverage possible for Tenable customers, non-distro-specific vulnerability checks (like those in the ‘Misc’ plugin family) may still assess managed binaries, but their findings are considered to have a reduced degree of certainty.

Component applications
Entire applications or application binaries that Nessus detects may sometimes be bundled with another application as one of its components. The main application typically manages its component applications, making it very challenging or impossible to directly remediate a vulnerability identified in a component (e.g. by updating or removing it) without adversely affecting the main application. Nessus attempts to identify component applications and any subsequent vulnerability checks against applications marked as components produce findings that are considered to have a reduced degree of certainty.

Configuration Checks
Some vulnerabilities may affect an application only when running in a specific configuration. While performing a configuration check provides a higher degree of certainty, detection plugins sometimes report a vulnerable version based only on the version number without performing the required configuration check. Generally this will be the case when Nessus is unable to perform the configuration check, or the method of performing the configuration check is not (publicly) available. In these cases, the vulnerable findings surfaced by detection plugins are considered to have a reduced degree of certainty.

Low Fidelity Checks
Some vulnerabilities may require many different or complex conditions to be met to be considered truly present. In some cases, vulnerability detections may instead perform a simpler series of checks, without performing all of the necessary conditional checks. This category includes other lower-confidence detection workflows that a detection plugin may opt to perform out of necessity. For example, drawing important decision-making data from less reliable sources or selecting a version to compare against out of multiple detected. In all these scenarios, the findings are considered to have a reduced degree of certainty.

Incomplete or Unknown Version
The detected version of an application may sometimes not be granular enough to confidently determine the vulnerability status of that application. This also includes cases where a version number is present but the necessary hotfix, patch, etc. data is missing. And cases where we cannot obtain a version and can only detect the presence of the product (ex: the version is hidden behind a login page)These findings are considered to have a reduced degree of certainty.

Vulnerability detection plugins have long recognized Backported or Managed installations, factoring this information into each plugin’s vulnerability checking logic. This capability has recently been extended with Component installations. The remaining three potential vulnerability categories, i.e. Configuration Checks, Low Fidelity Checks, Incomplete or Unknown Version, are set to release later in 2026.

Changes in Vulnerability Detections

Vulnerability detection plugins are enhanced with this release to take the six Potential Vulnerability categories into account when reporting vulnerable findings. Their reports will now include a dedicated line of output indicating whether the vulnerability finding is potential and the potential vulnerability category it corresponds to.

The following are a few examples of the expected changes in vulnerability detection plugin output, when a Potential Vulnerability is found and reported. Note that these results stem from Paranoid scans, with Component scanning enabled.

Backported applications

A vulnerable instance of the Apache HTTP server is running on a Linux host. It is identified as backported based on its banner, which indicates that it is a CentOS-specific release:

Before

Apache vulnerability plugins (like 100995, whose output is shown below) are currently flagging this instance as vulnerable without marking it as a potential vulnerability:

After

With the changes introduced, these vulnerabilities are marked as potential due to the Apache instance being backported:

Component applications
A vulnerable instance of Sqlite is found on a Windows host, as a component of the YourPhone built-in Windows app, This instance of Sqlite is bundled with and managed by the YourPhone application.

Before
Vulnerability plugins (like 242325, whose output is shown below) are currently flagging this instance as vulnerable without marking it as a potential vulnerability:

After

With the changes introduced, these vulnerabilities are marked as potential due to the Sqlite instance being a component of another application:

Managed applications
A vulnerable instance of Sqlite is found on a Linux host. This instance of the app has been installed by the OS’ package manager and is therefore managed by the OS.

Before

Vulnerability plugins (like 242325, whose output is shown below) are currently flagging this instance as vulnerable without marking it as a potential vulnerability:

After
With the changes introduced, these vulnerabilities are marked as potential due to the Sqlite instance being managed by the OS:

Impact 

This release brings new plugin output for vulnerable findings of application installations tagged as Backported, Managed or Component.

Future releases will add similar new plugin output for the remaining three Potential Vulnerability categories (Configuration Checks, Low Fidelity Checks, Incomplete or Unknown Version).

Over time, Tenable Research will expand the number of detections that tag application installations as Components and vulnerable findings with the appropriate Potential Vulnerability category.

Target Release Date

06 APR 2026