Research Release Highlight - Potential Vulnerabilities
Summary In this Release Highlight, Tenable Research is officially introducing Potential Vulnerabilities. A potential vulnerability is a finding that has a lower degree of certainty as to whether the assessed application is or is not vulnerable. The family of Potential Vulnerabilities consists of six categories: Backported, Managed, Component, Configuration Checks, Low Fidelity Checks and Incomplete or Unknown Version. The vulnerable findings surfaced by detection plugins will be tagged and reported appropriately to distinguish potential vulnerabilities from regular findings, while indicating which Potential Vulnerabilities category(ies) they correspond to. Potential vulnerabilities for Component installations are shown in scan results by default, but can be hidden by disabling the relevant scan setting. To modify this setting in your scan policy, go to Settings > Assessment > Accuracy > Override Normal Accuracy > Assess component installs for potential vulnerabilities. Please refer to this article for more information on Component scanning. The visibility of potential vulnerabilities for Backported and Managed installations remains unchanged and will continue to rely on the scan’s paranoid status. Please refer to this article for more information on Paranoia scan settings. Overview At this time, Tenable Research has identified six cases that lead to vulnerability findings with a reduced degree of certainty. Each one serves as a potential vulnerability category: Backported applications Nessus often relies on applications’ banners to detect them remotely (i.e. without auth), but the practice of backporting makes application banners less reliable sources of information. A detected application’s backported banner may often advertise the same application version as a non-backported banner, with little to no indication of its backported nature. Nessus attempts to mark application banners as backported whenever possible and subsequent vulnerability checks against applications whose banners are deemed backported produce findings that are considered to have a reduced degree of certainty. Managed applications Detected application binaries on Linux systems are sometimes associated with packages that are distributed and managed by the Linux distro through the distro’s package manager. These binaries often carry different vulnerabilities and security fixes than their non-managed counterparts and even their counterparts managed by other distros. Nessus attempts to associate binaries to distro-managed packages and performs distro-specific vulnerability checks against any binaries that are found to have such an association. In an effort to provide the widest vulnerability coverage possible for Tenable customers, non-distro-specific vulnerability checks (like those in the ‘Misc’ plugin family) may still assess managed binaries, but their findings are considered to have a reduced degree of certainty. Component applications Entire applications or application binaries that Nessus detects may sometimes be bundled with another application as one of its components. The main application typically manages its component applications, making it very challenging or impossible to directly remediate a vulnerability identified in a component (e.g. by updating or removing it) without adversely affecting the main application. Nessus attempts to identify component applications and any subsequent vulnerability checks against applications marked as components produce findings that are considered to have a reduced degree of certainty. Configuration Checks Some vulnerabilities may affect an application only when running in a specific configuration. While performing a configuration check provides a higher degree of certainty, detection plugins sometimes report a vulnerable version based only on the version number without performing the required configuration check. Generally this will be the case when Nessus is unable to perform the configuration check, or the method of performing the configuration check is not (publicly) available. In these cases, the vulnerable findings surfaced by detection plugins are considered to have a reduced degree of certainty. Low Fidelity Checks Some vulnerabilities may require many different or complex conditions to be met to be considered truly present. In some cases, vulnerability detections may instead perform a simpler series of checks, without performing all of the necessary conditional checks. This category includes other lower-confidence detection workflows that a detection plugin may opt to perform out of necessity. For example, drawing important decision-making data from less reliable sources or selecting a version to compare against out of multiple detected. In all these scenarios, the findings are considered to have a reduced degree of certainty. Incomplete or Unknown Version The detected version of an application may sometimes not be granular enough to confidently determine the vulnerability status of that application. This also includes cases where a version number is present but the necessary hotfix, patch, etc. data is missing. And cases where we cannot obtain a version and can only detect the presence of the product (ex: the version is hidden behind a login page)These findings are considered to have a reduced degree of certainty. Vulnerability detection plugins have long recognized Backported or Managed installations, factoring this information into each plugin’s vulnerability checking logic. This capability has recently been extended with Component installations. The remaining three potential vulnerability categories, i.e. Configuration Checks, Low Fidelity Checks, Incomplete or Unknown Version, are set to release later in 2026. Changes in Vulnerability Detections Vulnerability detection plugins are enhanced with this release to take the six Potential Vulnerability categories into account when reporting vulnerable findings. Their reports will now include a dedicated line of output indicating whether the vulnerability finding is potential and the potential vulnerability category it corresponds to. The following are a few examples of the expected changes in vulnerability detection plugin output, when a Potential Vulnerability is found and reported. Note that these results stem from Paranoid scans, with Component scanning enabled. Backported applications A vulnerable instance of the Apache HTTP server is running on a Linux host. It is identified as backported based on its banner, which indicates that it is a CentOS-specific release: Before Apache vulnerability plugins (like 100995, whose output is shown below) are currently flagging this instance as vulnerable without marking it as a potential vulnerability: After With the changes introduced, these vulnerabilities are marked as potential due to the Apache instance being backported: Component applications A vulnerable instance of Sqlite is found on a Windows host, as a component of the YourPhone built-in Windows app, This instance of Sqlite is bundled with and managed by the YourPhone application. Before Vulnerability plugins (like 242325, whose output is shown below) are currently flagging this instance as vulnerable without marking it as a potential vulnerability: After With the changes introduced, these vulnerabilities are marked as potential due to the Sqlite instance being a component of another application: Managed applications A vulnerable instance of Sqlite is found on a Linux host. This instance of the app has been installed by the OS’ package manager and is therefore managed by the OS. Before Vulnerability plugins (like 242325, whose output is shown below) are currently flagging this instance as vulnerable without marking it as a potential vulnerability: After With the changes introduced, these vulnerabilities are marked as potential due to the Sqlite instance being managed by the OS: Impact This release brings new plugin output for vulnerable findings of application installations tagged as Backported, Managed or Component. Future releases will add similar new plugin output for the remaining three Potential Vulnerability categories (Configuration Checks, Low Fidelity Checks, Incomplete or Unknown Version). Over time, Tenable Research will expand the number of detections that tag application installations as Components and vulnerable findings with the appropriate Potential Vulnerability category. Target Release Date 06 APR 2026
Improvement to Printer OS Fingerprinting
Updated: April 3, 2026 Summary Scanned printers will now have an OS artefact surfaced in their scan host metadata if the target has been identified as a printer when the “Scan Network Printers” policy option is disabled. This change will not cause any additional asset licenses to be consumed within Tenable VM or Tenable Security Center. Background Printers are notoriously unstable scan targets. Oftentimes, they can behave erratically when scanned, so some users prefer to avoid scanning them altogether. At present, there is a switch in the scan policies to prevent further scanning of a host when it's identified as a printer. To enable this setting, go to Settings -> Host Discovery -> Fragile devices - Scan Network Printers (Currently, this is a checkbox setting, default value “off”). With that said, how can the scanner know the target is a printer if it cannot be scanned? In reality, the scanner still performs very basic fingerprinting (usually via SNMP) in order to gather enough information to make an educated guess at the device type. When the scan target is thought to be a printer, it essentially gets marked as “Host/dead" in the scan KB. When this happens, the scanner will not perform any further active scanning. Changes With this update, the fingerprint used to identify the printer as such, will now be stored in the scan Knowledge Base (KB) so it can be processed by os_fingerprint2.nasl ("Post-scan OS Identification", plugin ID 83349) and surfaced as metadata in the scan result. The relevant policy setting located at Settings -> Host Discovery -> Fragile devices -> Scan Network Printers. With this update, the printer's OS information will now be surfaced if it is available, regardless of the selected value for this setting. Impact Users can now see the OS information for their printer devices that would have otherwise gone unreported if the scan is not configured to “Scan Network Printers”. As plugin ID 83349 generates no plugin output, only an “operating-system” tag will be added to the scan result (and stored in an exported .nessus file). This information will be visible only the in “Host/Asset Details” section of the Tenable product UI, i.e: Tenable Nessus: Scans -> [Folder] -> [Individual Scan Result] - > Host Details -> OS (sidebar) Tenable Vulnerability Management: Explore -> Assets -> [Asset] -> Details -> Operating System Scans -> Vulnerability Management Scans -> [Individual Scan Result] -> Scan Details -> Asset Details -> Operating System Tenable Security Center: Analysis -> IP Summary -> [IP address] -> System Information -> OS Scans -> Scan Results -> [Individual Scan Result] -> IP Summary -> [IP address] -> System Information -> OS Note, we expect this information to surface mainly in individual scan results. It would only be present in cumulative asset details if a licensed asset already exists for the target in question. This update will not cause additional assets to be created or consume any additional licenses. Affected Plugins 83349 - os_fingerprint2.nasl 11933 - dont_scan_printers.nasl 22481 - dont_scan_settings.nasl Targeted Release Date Wednesday, March 4, 2026
Tenable Post-Quantum Cryptography Inventory Support
Summary The advent of quantum computing presents a significant threat to current cryptographic algorithms. Organizations worldwide are beginning the critical transition to post-quantum cryptography (PQC) resistant algorithms to ensure long-term data security. Government mandates, such as the U.S. National Security Memorandum 10 (NSM-10), outlines deadlines for PQC migration and specific actions agencies must take to migrate vulnerable systems. Our PQC support is designed to help customers inventory use of TLS and SSH quantum-resistant and vulnerable algorithms within their infrastructure using remote Nessus-based scans. Cipher Inventory and Reporting Post-Quantum Cipher Plugins Two remote-based scan informational reporting plugins for TLS and SSH protocols inform customers of their transition posture according to NIST Post-Quantum Encryption Standards. Services Using Post Quantum Cryptography: Reports on services equipped with at least one post-quantum cipher. It will specify which post-quantum ciphers were discovered, reporting by port and protocol. Services Not Using Post Quantum Cryptography: Reports on services that support no post-quantum ciphers. These plugins will be enabled by default and included in existing scans. Cryptographic Inventory Plugin Reporting To enable a JSON-based inventory of each target by service and cipher, enable through either a preference on your Advanced Network Scan or by running the Cryptographic Inventory scan template. These preferences will initially be supported in Nessus and Tenable Vulnerability Management. They are planned to be added to Tenable Security Center at a later date. Warning: Enabling this preference through the Advanced Network Scan is expected to increase the overall size of the plugin output per target and resulting Nessus database size. If you do not need to produce this inventory at all or on your regular scan cadence, it’s recommended to instead run the Cryptographic Inventory scan template to decrease the potential impact to your normal scan results. Options to Enable Inventory Reporting Advanced Scan Preference Post Quantum Cryptography Scan Template Cryptographic Inventory Plugin Details The plugin enabled with the preference or scan template is an information plugin called Target Cipher Inventory. Within the output of this plugin, you will find a JSON structure containing the TLS and SSH inventories for the scanned target. You can export this inventory based on plugin output using the Tenable API if needed. For TLS, the structure contains: Attribute Definition Encaps Protocol encapsulation employed such as TLSv1, TLSv2, TLSv3 Port Port used for TLS communication Curve Group Encryption method Ciphersuite Algorithm used to secure the TLS connection For SSH, the structure contains: Attribute Definition Proto Protocol of SSH Port Port used for SSH communication Name Algorithm used to secure the protocol Type Use of the named algorithm such as “message auth” Release Date Tenable Vulnerability Management and Tenable Nessus: December 8, 2025 Tenable Security Center: - December 8, 2025 for the informational plugins - Cryptographic Inventory scan template release to be determinedImprovement: Handling Component Installs for Vulnerability Assessment
Background On Friday, February 6, 2026, Tenable Research published a plugin update that changed the way component installs are assessed for vulnerabilities. Those changes are outlined in a previous release highlight: Component Installs Require Paranoid Checks, This update essentially reverts this change, while adding new functionality to allow users to choose whether or not they want component installs assessed for vulnerabilities. Component installs are no longer influenced by scan paranoia settings. What are “Component Installs”? Software components, such as applications or language modules/libraries, are installed and managed by a primary "parent" package or application. The crucial point is that these components often cannot be updated individually. Instead, their vulnerability assessment and upgrade are entirely dependent on an update of the parent package. For instance, the SQLite database component is installed as part of the Trend Micro Deep Security Agent and is updated only when the Agent itself is updated. Nessus uses several factors to determine if a detected product is a component, or a standalone installation, including: Was the product installed by a package manager? These products are not considered components, as they are managed by the package manager and not a “parent” application Is the component a “language library”, i.e. a library or module used by the interpreter of a programming language like Python or Node.js? These enumerated libraries are marked as components by default. Does the product reside in a directory that is recognized for installations that are not component-based? Changes By default, component installs are once again assessed for vulnerabilities, as was the case prior to the release of the aforementioned update. If users wish to turn this setting off, so that component installs will not be assessed by generic vulnerability detection plugins, they can do so via the newly created scan preference. The end result of this change should be that fewer “false positives”, i.e. reported vulnerabilities for components that are “owned” by another application, are shown in scan results. Components with vulnerabilities that cannot be addressed independently of the “parent” application will not show in scan results. However, some customers have expressed a desire to see these vulnerabilities in their scan results anyway, to ensure full awareness of the risk profile of every application in their environment. This is still possible through the updated scan configuration settings. To modify this setting in your scan policy, go to Settings > Assessment > Accuracy > Override Normal Accuracy > Assess component installs for potential vulnerabilities. This setting is ON (checkbox is ticked) by default, so users must enable the Override Normal Accuracy checkbox (which is OFF / unchecked by default) if they wish to disable the setting and ensure that component installs are not assessed by generic vulnerability detection plugins in this scan. Please note that this update makes no other changes to the existing paranoia logic, outside of what is described above. For now, “Managed”, “Managed by OS” and “Backported” installs are still controlled by the Show/Avoid potential false alarms radio button. How can I tell if the detected install is a component or not? In addition to the above, we have also updated the relevant detection plugins so they will show if the component flag is set or not. At present, this includes detection plugins for OpenSSL, Curl, LibCurl, Apache HTTPD, Apache Tomcat, SQLite, Python Packages, Node.js modules and, soon to follow, Ruby and Nuget libraries. Using plugin ID 174788, SQLite Detection (Windows), here is a before and after example of the expected plugin output. Before: After: Expected Impact With the new default setting in place, users should anticipate an increase in vulnerability findings for the products in scope, returning to a level similar to what was observed before the first update. If users do not wish to surface these additional potential vulnerabilities, they should disable the "Assess component installs for potential vulnerabilities” setting. If the new scan preference is disabled, the volume of findings will remain consistent with current levels, when scanning with normal accuracy (paranoia) settings. Affected Plugins 12288, global_settings.nasl (updated to support the new scan policy preference) Any plugin that operates downstream of those in the list below: SQLite: 174788 - sqlite_nix_installed.nasl 171077 - sqlite_win_installed.nasl OpenSSL: 168007 - openssl_nix_installed.nasl 168149 - openssl_win_installed.nasl Curl: 182774 - curl_nix_installed.nasl 171860 - curl_win_installed.nasl LibCurl: 182848 - libcurl_nix_installed.nasl Apache HTTPD: 141394 - apache_http_server_nix_installed.nasl 141262 - apache_httpd_win_installed.nasl Apache Tomcat: 130175 - apache_tomcat_nix_installed.nasl 130590 - tomcat_win_installed.nasl Python Packages: 164122 - python_packages_installed_nix.nasl 139241 - python_win_installed.nasl Node.js Modules: 178772 - nodejs_modules_linux_installed.nasl 179440 - nodejs_modules_mac_installed.nasl 200172 - nodejs_modules_win_installed.nasl Targeted Release Date Tenable Nessus and Vulnerability Management: Monday, March 9, 2026 (ETA 22:30 Eastern Standard Time) Tenable Security Center: Monday, March 16, 2026
March 2026 Tenable Product Newsletter
Check out our March newsletter to learn about the latest product and research updates, upcoming and on-demand webinars, and educational content — all to help you get more value from your Tenable solutions. EXPOSURE 2026 Save 50% on the security conference of the year Don’t miss EXPOSURE 2026, the first-ever conference dedicated exclusively to proactive, unified exposure management. Join us in Boston, Mass., from May 19-21, 2026, to get: Hands-on instruction with Exposure Management Strategy or Tenable One Technical Training Practical resources and real-world insights from Tenable leaders and industry experts Register before March 31 to save 50% off admission and training with early-bird pricing. Tenable customer update webinar 11 a.m. EST/3 p.m. BST, April 9, 2026 Join our upcoming webinar for an informative, fast-paced overview of recent product updates and best practices. Hosted by a team of Tenable product experts, this session will explore how to better secure your expanding attack surface and consolidate critical security data. Register now. Tenable One Coming soon: Data portability for Tenable Attack Path Analysis (APA) We’re introducing Full Export for Tenable APA, allowing you to move beyond single-page views and transform high-level visualizations into actionable offline intelligence. Key capabilities: Comprehensive data: Export full datasets for Top Attack Paths and Top Attack Techniques into CSV or JSON formats. Risk context: Exports include critical metrics like Source NES (Node Exposure Score) and Target ACR (Asset Criticality Rating). High capacity: Easily trigger exports for up to 100K+ results via a new global UI button. API parity: Programmatically pull path data into your SIEM, SOAR, or custom tools using the Tenable Public API. Tenable Cloud Security This month’s updates focus on operational scale, synchronizing security standards, and automating remediation across complex multi-cloud environments. Highlight: Synchronized policy management With linked queries, you can now connect saved explorer searches directly to custom policies and reports. Eliminate manual version control: When you update a source query, every linked policy and report automatically syncs, so your security standards are identical across your entire organization. Operational control: Pause automated workflows for maintenance without losing your configurations using the new enable/disable toggle for automation rules. High-impact capabilities Actionable CI/CD pipelines: Maintain developer velocity by excluding unresolvable vulnerabilities from container image scans. This prevents noise from breaking builds when no patch is currently available. Confirmed reachability: Bridge the gap between theoretical risk and actual exposure with Network Endpoints now displayed in your Inventory to surface the actual, validated entry points for your resources. Dynamic IaC protection: Tenable now scans Terraform dynamic configurations to give you visibility into scaled infrastructure and complex definitions before deployment. Expanded compliance: Immediate support for CIS AWS 6.0.0 and the NIS2 Directive keeps your cloud accounts aligned with the latest global regulatory benchmarks. Strategic update: Domain transition Note: Critical for continued service. The Console URL has officially transitioned to app.tenable.com. Please update your bookmarks and firewall allow lists to include *.app.tenable.com immediately to prevent service interruption. View Full March Release Notes Tenable Vulnerability Management Introducing VM-Native OT Discovery Safely identify and profile connected PLCs, HMIs, and IoT devices using the vulnerability management toolset you already own. No specialized hardware or complex deployments required. Turn your existing IT security tools into a safe OT discovery engine today and get visibility into your IT/OT security gap. Watch the guided demo to see this new capability in action. For more information, explore the user guide documentation for Scan Templates and Discovery Settings. Clean up your scan data: New OS and app inventory dashboard Our new Operating System and Application Inventory with Data Troubleshooting dashboard gives you an instant, high-level view of your asset counts across every OS and application. By using built-in troubleshooting queries, you can identify and fix scan fidelity issues and prioritize risk based on the most accurate data possible. View the dashboard details. Nessus Maximize your vulnerability assessment strategy with our recently introduced interactive Tenable Nessus demos. Skip the manuals and get immediate, hands-on experience securing your attack surface. Explore the Nessus Professional Onboarding demo to launch your first comprehensive scans in minutes. Dive into the Nessus Expert Onboarding demo to master advanced assessment features and eliminate security blind spots, whether on-prem or in the cloud. Tenable Security Center Uncover the OT blind spots across your network If you’re not already a Tenable OT Security user, your IT environment is likely full of shadow OT, like HVAC controllers and IoT devices, that standard scans can’t see. We recently added native OT discovery capabilities directly inside Tenable Security Center, so you can safely map these assets using the tools you already own. Get deep identity data for PLCs and HMIs without risking a disruption or deploying new network sensors. See it in action in this guided demo, and find out how to configure your first scan here. Reminder: Upgrade to Tenable Security Center 6.8 Focus on the vulnerabilities that truly matter with AI-powered VPR insights and clear mitigation guidance. This release streamlines your operations with unified asset repositories for IPv4, IPv6, and Agents, and improves efficiency with new background query processing and scan optimization tools. Explore the release notes for more information before you upgrade. Tenable Patch Management Improved patching precision and reliability Update (v10.0.971.26) includes critical fixes around strategy corruption and inaccurate compliance reporting. By upgrading, you keep your workflows intact, your data precise, and your environment benefits from the modernized performance and security of Java 25. View the release notes or access TPM documentation. Tenable OT Security Update required: Tenable OT Security 4.5 Service Pack (version 4.5.61) We advise all customers currently running version 4.5 apply this upgrade immediately to ensure optimal system stability and performance when processing high volumes of network conversations. This update also addresses specific communication gaps with Rockwell Stratix devices and Nessus scans. Review the release notes for the full list of fixes and improvements. Introducing Tenable OT Security 4.6 (Early Access) Our upcoming release introduces a variety of new features, performance enhancements, and streamlined workflows for large-scale industrial environments. Massive subnet scaling: Now supports up to 5,000 subnets per ICP, significantly increasing visibility for massive enterprise deployments. Centralized network management: A new Monitored Networks page includes bulk-add capabilities and the ability to stage inactive networks before monitoring. Precision scanning: New Nessus workflows let you define specific credential usage per scan for safe discovery of sensitive assets. Streamlined platform navigation: Updated workflow for SSO/SAML users helps you pivot back to the Tenable One platform instantly with the return button. Remote agent updates and query restrictions: Update OT agents directly from the ICP. and remove local site visits or manual CLI intervention. New infrastructure for OT agents also enables you to restrict specific protocol queries. Enhanced diagnostics: Exported asset logs now include deeper metadata to speed up Support and Engineering troubleshooting. IoT connector overhaul: Major stability and performance fixes for Milestone, AvigilonES, and Exacq Edge integrations for IoT asset discovery. This update focuses heavily on large-scale infrastructure, refined scan controls, and better integration with the Tenable One ecosystem. Check out the release notes and user guide for details. Tenable Web App Scanning Stop chasing dead keys: New secrets validation for WAS Don’t waste time manually verifying every leaked credential. Our new Secrets Validation automatically tests detected tokens, like GitHub or AI service API keys, to see if they are live and exploitable. By distinguishing between a harmless string and a critical vulnerability, you can prioritize your remediation efforts based on real-world risk, rather than noise. View the documentation or read the full breakdown on Tenable Connect. Tenable Training and Product Education Evolve from reactive patching to proactive risk oversight The Exposure Management Business Theory course, now available at no cost in Tenable University, guides you in self-paced modules toward building a sustainable exposure management program through the five pillars of the exposure lifecycle: scoping, discovery, prioritization, validation, and mobilization. Get strategic insight to align Tenable’s capabilities with your business goals, drive meaningful change, and make informed decisions. Get hands-on expertise with current industrial security capabilities The newly-updated Tenable OT Security Specialist instructor-led training course, now aligned with Tenable OT Security version 4.4, ensures you can effectively protect your critical infrastructure using the latest product features and workflows. You will learn to: Maximize visibility: Learn to leverage these enhancements to see and secure every asset in your OT environment. Reduce risk: Practice real-world scenarios to identify vulnerabilities and threats faster. Get expert guidance: Interact directly with instructors to master complex configurations and best practices. Visit tenable.com/education to learn more about our Tenable University education offerings, see global instructor-led training (ILT) schedules, and buy virtual ILT or on-demand courses. Tenable webinars Tune in for product updates, demos, how-to advice, and Q&A. See all upcoming live and on-demand webinars at https://www.tenable.com/webinars. Customer office hours These are recurring ask-me-anything sessions for Tenable Security Center, Tenable Vulnerability Management, Tenable Cloud Security, Tenable Identity Exposure and Tenable OT Security. Time-zone-appropriate sessions are available for the Americas, Europe (including the Middle East and Africa and Asia Pacific (APJ). Learn more and register here. Tenable Research Research Security Operations blog posts Subscribe to the Research team blog posts here. The cloud and AI velocity trap: Why governance is falling behind innovation Dynamic objects in Active Directory: The stealthy threat New malicious npm package "ambar-src" targets developers with open-source malware Research release highlights Improvement: Handling component installs for vulnerability assessment: Adds the ability to remove findings for component-based vulnerabilities from scan results New Dell OS10 compliance plugin and audit files: Customers can now measure compliance against Dell OS10 devices with new plugin ID Dell OS10 Compliance Checks (275781) on Tenable Vulnerability Management and Nessus. Content coverage highlights More than 2,700 new published vulnerability plugins. Nearly 50 new audits delivered to customers. Read Tenable documentation.Component Installs Require Paranoid Checks (DEPRECATED)
Update - March 4, 2026 After considering customer feedback, we. have decided to re-evaluate these changes and come up with a better way of handling Component installs. For the latest information, please refer to the new release highlight: Improvement: Handling Component Installs for Vulnerability Assessment Summary With this update, products that are deemed to be components of another application, will now require the scan to be run in paranoid mode to trigger generic vulnerability detection plugins. In this context, “generic vulnerability detection plugins” refers to plugins that cover advisories published by the component vendor (e.g., plugin ID 242325, SQLite < 3.50.2 Memory Corruption) rather than the operating system or “parent” application that distributes the component, either as a part of the operating system or a dependent tool of the parent application. Overview Tenable covers software that can be either installed as base level software, or be included as component software of a larger product installation. Base level software can be updated without any impact to the base product functionality. Component software is typically updated as part of the vendor update for the larger packaged product, and the individual components are not updatable. Non-paranoid scans will report base software vulnerabilities that are actionable. Paranoid scans will report on base software vulnerabilities as well component software vulnerabilities that are not actionable, but still package a potentially vulnerable version of the component. To enhance the accuracy of our vulnerability detection and provide users with greater control over scan results, we are implementing an update affecting how we flag vulnerabilities in software components. Our detection plugins for OpenSSL, Curl, LibCurl, Apache HTTPD, Apache Tomcat, SQLite, PHP, Python packages and Node.js modules can now identify when these packages are installed as components of another parent application (e.g., SQLite bundled with Trend Micro’s Deep Security Agent), rather than as standalone installs. Key Changes: Non-Paranoid Scans: Scans running in the default mode will no longer flag generic vulnerability detection plugins for these component installs. This is because vulnerabilities in components generally cannot be patched directly; users must wait for the parent application's vendor to issue an update. OS Vendor Advisories Unaffected: This change does not affect plugins for OS vendor security advisories that cover the same vulnerabilities (e.g., plugin ID 243452, RHEL 9 : sqlite (RHSA-2025:12522)). Paranoid Scans: For scans running in paranoid mode, generic vulnerability detection plugins will still trigger for component installs if the detected version is lower than the expected fixed version. Expected Impact: Customers running non-paranoid scans should anticipate seeing a reduction in potential vulnerability findings for OpenSSL, Curl, LibCurl, Apache HTTPD, Apache Tomcat, SQLite, PHP, Python packages and Node.js modules that are installed as components. Technical Details: The changes are entirely contained within two shared libraries, vcf.inc and vdf.inc, utilized by the affected plugins. This update impacts approximately 750 plugins specific to OpenSSL, Curl, LibCurl, Apache HTTPD, Apache Tomcat, and SQLite. Targeted Release Date: Friday, February 6, 2026New Dell OS10 Compliance Plugin and Audit files
Summary Customers can now measure compliance against Dell OS10 devices with new plugin ID Dell OS10 Compliance Checks (275781) on Tenable Vulnerability Management and Nessus. This plugin is published as a part of the Policy Compliance template and will use the existing SSH credential type. The plugin will retrieve all target data using "show" commands and will evaluate actual values against a given audit policy. Three audits implementing the DISA STIG will be released along with the plugin: DISA Dell OS10 Switch Layer 2 Switch STIG v1r1 20 checks DISA Dell OS10 Switch NDM STIG v1r1 39 checks DISA Dell OS10 Switch Router STIG v1r1 42 checks These audits contain a total of 101 checks. Some examples include: OS10-NDM-000010 The Dell OS10 Switch must limit the number of concurrent sessions to an organization-defined number for each administrator account and/or administrator account type. OS10-NDM-000410 The Dell OS10 Switch must enforce password complexity by requiring that at least one uppercase character be used. OS10-L2S-000240 The Dell OS10 Switch must not use the default VLAN for management traffic. OS10-RTR-001040 The Dell OS10 Router must be configured to suppress Router Advertisements on all external IPv6-enabled interfaces. Additional Notes For those that are interested in creating custom audit content for their environment, please see the plugin documentation for all supported keywords and uses at https://docs.tenable.com/nessus/compliance-checks-reference/Content/dell-os10.htm. Target Release Date Nessus/Tenable.VM - Immediate Tenable.sc - To be determined
Nessus now has Windows LAPS Support
Summary: Nessus now has the ability to leverage accounts managed by Microsoft Windows LAPS. How LAPS works: Since LAPS managed accounts have their passwords rotated routinely, users cannot just directly provide the credentials in their Scan Policy. Before this change, users would instead have to make an additional privileged account on each LAPS enabled Host to provide to Nessus. Currently Nessus supports Entra LAPS allowing a scan to pull LAPS Managed Credentials from a customer’s remote Entra instance. Now, Nessus can do the same for Windows LAPS, allowing customers with local LAPS setups to gain the same benefits! Without Windows LAPS support, customers must make dedicated account for Nessus to use to scan targets Change: With this LAPS support change, during the startup phase of a scan, Nessus will reach out to a customer provided Domain Controller hosting an AD forest with LAPS enabled, and pull a list of all Local Admin Accounts for devices managed by LAPS. Nessus will then attempt to use these retrieved LAPS managed accounts as credentials when attempting to access a target host. With Windows LAPS Support, Customers need only provide a single Credential that allows Nessus to retrieve the actual credentials for LAPS Managed Devices How to enable it: To make use of Nessus’ Windows LAPS support, a customer needs only to provide the necessary info to their scan/policy via the Windows LAPS Credential. They’ll need to provide us the IP of the DC, Credentials for an account on that DC with the necessary permissions*, and the DistinguishedName of the OU that contains their LAPS managed devices. *The Account for retrieving Windows LAPS credentials needs the following permissions General Recommend the Account be added to the BUILTIN/Administrators AD Group as it grants all required permissions, including: Access to the $Admin Able to log on to the DC remotely Able to run Powershell WMI and DCOM access to Root/CIMV2 WMI Namespace LAPS Permissions LapsADReadPasswordPermission rights to the LAPS OU Be an Authorized Password Decryptor in the LAPS GPO (without this, Nessus will not be able to retrieve passwords protected by LAPS Encryption). Members of the Domain Administrators group are Authorized Password Decryptors by default. For additional information see: https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview Impact: Customers using Rotating Host passwords managed through Microsoft Windows LAPS can now leverage these credentials in their Nessus scans for more secure scanning configurations. Target Release Date: Nessus, T.VM On/About 09 JUN 2025 T.SC TBD
Ruby Gem Enumeration Detection Updates
Summary Tenable has updated the Ruby gem enumeration plugins to reduce false positives and to better identify vulnerabilities when multiple packages are present on the scan target. Change Before this update, the Ruby gem enumeration plugins did not attempt to associate detected packages with an RPM or DEB package managed by the Linux distribution. This would cause some packages to report vulnerabilities both based on a Linux distribution vendor’s advisory and a CVE advisory from the Ruby gem maintainer. Some gems that are symbolically linked across the filesystem could be detected multiple times. After this update, these issues have been addressed. Vulnerable Ruby gems on Linux assets will be assessed to determine if they are managed by a Linux distribution’s package manager, and if so, will be marked as “Managed” and will not report a vulnerability, unless the [Override normal Accuracy] setting to Show potential false alarms setting is enabled for the scan. Gems that are symbolically linked will be followed to the source file; duplicate detections will be eliminated. The gem enumeration plugins will no longer report the list of detected gems in plugin output; rather, they will use only internal storage mechanisms to record the detected gems, so that Ruby vulnerability plugins can continue to use that data for version checks. Some issues were identified in the Ruby gem enumeration plugins that could have prevented some gems from being detected when the scan config was set to perform thorough checks. Those issues were corrected in this update. Impact Most customers will notice a reduction in the volume of Ruby gem vulnerabilities reported due to removal of duplicate findings. Some may notice a change in detected vulnerabilities due to the updates to thorough mode scanning. Detection plugins 240646 - Ruby Gem Modules Installed (macOS) 207584 - Ruby Gem Modules Installed (Linux) 207585 - Ruby Gem Modules Installed (Windows) Target Release Date March 23, 2026February 2026 Tenable Product Newsletter
Greetings! Check out our February newsletter to learn about the latest product and research updates, upcoming and on-demand webinars and educational content — all to help you get more value from your Tenable solutions. Exposure 2026 Save 50% on the security conference of the year Don’t miss Exposure 2026, the first-ever conference dedicated exclusively to proactive, unified exposure management. Join us in Boston, Mass., from May 19-21, 2026, to get: Hands-on instruction with Exposure Management Strategy or Tenable One Technical Training Practical resources and real-world insights from Tenable leaders and industry experts Register before March 31 to save 50% off admission and training with early bird pricing. Tenable One Say hello to the Tenable One Open Connector We know your security stack is disparate, but your visibility shouldn't be. That's why we're thrilled to introduce the Tenable One Open Connector — a powerful new way to bridge the gaps across your attack surface and create a truly unified, context-aware view of risk. Bring your own data: Don't wait for a pre-built connector. Whether it’s pentesting reports or external vulnerability scans, you can now ingest data from across your entire stack on your own terms. Seamless uploads: Use in-platform drag-and-drop functionality to upload CSV, Excel, or ZIP files in seconds — no complex APIs or coding required. Customizable mapping: Customize exactly how you organize data for precise segmentation and more accurate reporting. Ready to unify your security data? Explore the Tenable One Open Connector. AI Exposure Tenable One AI Exposure now gives you visibility and control to close your AI exposure management gap through three core capabilities: Discover AI across your entire environment: Continuously discover shadow AI across your environment, so your security teams have a complete, risk-aware view of where AI exists, its connections, and where exposure begins. Protect AI workloads and agents: Reduce real-world AI risk by protecting the systems that power AI to close the gaps that attackers exploit across infrastructure, agents, and attack paths. Govern AI usage (add-on): Enable secure, compliant AI adoption by eliminating blind spots in how employees interact with GenAI and autonomous agents to ensure your workforce adopts generative tools within a governed framework that prevents data leakage and maintains alignment with organizational policies. For more information, visit our webpage or view the data sheet. Reach out to your customer success manager to get started today! Tenable Cloud Security At Tenable, we are obsessed with your uptime. This month’s updates focus on one goal… shortening the distance between discovering a risk and fixing it. The Highlight: Patch faster, firefight less We’ve integrated Remediation Patches (including Tenable Plugin IDs) directly into your vulnerability tables and workload profiles. The outcome: Drastically reduce Mean Time to Remediation (MTTR) by giving DevOps the exact patch name they need without all the manual research required. Where to find it: Check the new "Patch Name" column in your Vulnerabilities table or click into any Patch Profile for deep context. Validated vision: The Forrester Wave™ Q1 2026 Tenable has been named a Strong Performer in the Forrester Wave™: Cloud Native Application Protection Solutions (CNAPP), Q1 2026. Platform power: Forrester validated our vision for reducing tool sprawl, awarding Tenable a "superior" rating for simplifying exposure management. Perfect scores: We earned 5/5 scores in critical categories: CIEM, Container Orchestration Protection, Reporting, Vision, and Community. Technical edge: The report specifically highlighted our excellence in identifying toxic combinations of permissions and our "extra mile" customer support. Impactful updates Strategic risk management: Use our new Exclusions framework to silence non-actionable findings and focus your team on risks that actually move the needle. AWS ABAC support: Achieve True Least Privilege with granular identity visibility and highly accurate permission recommendations. Automation at scale: New GraphQL API support for Projects allows you to bake security governance directly into rapid DevOps workflows. View Full Cloud Release Notes Tenable Vulnerability Management Streamline AI and MCP risk tracking Monitor artificial intelligence exposure with the updated Tracking AI Exposure dashboard and report. This release replaces complex plugin output filters with simplified plugin family filters, allowing you to identify AI-related vulnerabilities across your environment. This also introduces dedicated content for the Model Context Protocol (MCP), ensuring you can secure AI connectivity alongside your LLM deployments. By utilizing these tools, you gain insight into your AI attack surface to better prioritize exposure. See the dashboard and report here. Navigate the transition to post-quantum cryptography Secure against the threat of quantum computing with Post Quantum Ciphers Analysis report and dashboards. As quantum computers advance, the standard RSA and Elliptic Curve Cryptography (ECC) algorithms for web browsing, VPNs, and identity verification will become vulnerable. By leveraging specialized plugins you can inventory your cryptographic landscape. This allows you to: Identify where RSA and ECC are currently deployed to prioritize your transition to quantum-resistant standards. Detect remote services and Web Application Scanning (WAS) environments that lack post-quantum cipher support. Pinpoint specific vulnerable ciphers, certificates, and assets that require immediate attention. This empowers you to manage the shift to post-quantum security, ensuring your data remains protected as computing capabilities evolve. See the dashboard and report to dive in. Maximize scan efficiency while protecting host & network performance Take full control of your sensor fleet with CPU resource and plugin download concurrency controls. This empowers you to balance essential security visibility with the performance needs of your business-critical infrastructure. CPU resource management: Protect host productivity by setting specific CPU utilization limits for Windows and Linux agents within your agent profiles. This ensures your security scans run efficiently without impacting the user experience or system stability. Bandwidth optimization: Avoid network congestion by governing how many agents or scanners download plugin updates at once. These global settings allow you to throttle traffic to accommodate limited internet pipes, ensuring your network remains responsive. These tools offer flexibility to scale your deployment without compromising network or host stability. For further information, see the release notes. Tenable Security Center Introducing Tenable Security Center 6.8 Our latest release introduces several new features and enhancements to streamline your security operations. Focus on real risk: Stop chasing 60% of Common Vulnerabilities and Exposures (CVE) as High or Critical. Start focusing on the 3% of CVEs that truly matter. Enhanced VPR logic and new AI-powered insights explain why an exposure is significant and provide clear mitigation guidance based on regional and industry-specific threat actor behavior. Streamlined infrastructure: We’ve unified IPv4, IPv6, and Agent repositories into a single, flexible Asset Repository type to reduce administrative overhead and give you more freedom in how you bucket and analyze your data. You can now target any data, including agent, network scan, and passive data, into any repository. Asset grouping and customization: The Explore Assets page includes new Group By options for Microsoft ID, Network, System Type, and Asset Criticality Rating (ACR). Other enhancements to the Explore Assets page include the ability to edit ACR scores (available in Tenable Security Center Plus) directly in the Explore interface. You can also export findings and installed software for specific assets to a comma-separated values (CSV) file. Background queries: Start a query and keep working. Tenable Security Center now processes long-running asset searches in the background. Scan optimization: Prevent performance issues with new per-host timeouts that keep your scan schedules on track to prevent a single host from increasing overall scan time. Enhanced security: Use at-rest encryption for External PostgreSQL databases and expanded PAM integration for Delinea and BeyondTrust. Before you upgrade: Tenable Security Center 6.8 supports upgrades from version 6.4.0 and later. Please review the updated hardware specifications in the release notes for optimal performance. Tenable OT Security Now available: Tenable OT Security 4.5 Our latest release delivers improved scalability for enterprise environments, enhanced power grid visibility, and enhanced Tenable One platform integration. Policy violation findings widgets: New widgets for High-Risk Violations and Operational Violations replace the former Events widgets in the Overview Dashboard, making it easier to distinguish between critical exposures from non-critical operational issues. Advanced dynamic tagging: Streamline prioritization and reporting with the ability to create rule-based groups and tags with multiple filters, including asset type, risk score, and criticality. Enhanced support for IEC 61850: Improve passive detection of intelligent electronic devices with comprehensive visibility across substation and power generation infrastructures. Unified SOC visibility: You can now directly view policy violations that Tenable OT Security detects, such as unauthorized access, failed logins or risky configuration changes, within Tenable Security Center dashboards and reports to give your security operations center (SOC) and IT security teams a unified view of both OT vulnerabilities and OT policy issues. Expanded compliance mapping: Simplify how you track, measure, and report against critical security frameworks with the ability to directly map asset data and policies to NIST CSF as well as IEC 62443-3-3 to improve visibility for electrical substation and power grid environments. Role-based access controls (RBAC): Tenable Enterprise Manager now enables admins to assign users to specific ICPs using user groups, so users only view the zones they’re authorized to see while inheriting ICP-level roles. New protocol and device coverage: Tenable identifies several new vulnerabilities in this release for devices from multiple vendors, including ABB, ANDRITZ HYDRO GmbH, Barco, General Electric, Generex, HP, Lexmark, Schneider, and others. See the complete list here. Note: Upgrades from versions prior to 4.4 may take longer than usual due to the migration of policy events. If you have hundreds of thousands of events, upgrades can take about 30 minutes. Access the release notes to learn more. Tenable Identity Exposure Our February rollout focuses on hardening the Active Directory attack surface and ensuring the integrity of your detection engine. To maintain a resilient identity posture, we have introduced visibility into transient objects and streamlined health monitoring for your infrastructure. Hardening dynamic AD environments: This new Indicator of Exposure (IoE) detects Dynamic Objects Misconfiguration and Usage. This enhancement mitigates risk by identifying transient objects that attackers could exploit for unauthorized access or persistence. Detection engine integrity: We have optimized Domain Installation health checks to ensure your security stack operates at peak performance: Conflict resolution: The system now flags redundant "Tenable IoA GPO EVT Subscribe Listener" files within your SYSVOL. System optimization: Identifying these multiple versions ensures you are running the latest configuration, preventing detection lag or GPO conflicts. View Full Identity Release Notes Tenable Ecosystem Tenable Add-on for Splunk v8.0.2 Tenable has released version 8.0.2 of the Tenable Add-on for Splunk. This latest quality update improves data reliability by resolving a specific index_time race condition previously affecting Tenable Security Center. For more information, please read the Tenable Documentation, and visit Splunkbase to download. Tenable WAS Integration for ServiceNow VR v30.2.0 Tenable has fully integrated Tenable Web App Scanning (WAS) with the ServiceNow Vulnerability Response (VR) app (v30.2.0). This update enables security teams to automatically synchronize application metadata and DAST vulnerability findings directly into ServiceNow to unify remediation workflows. Key benefits: CMDB correlation: Automatically map WAS findings to your CMDB applications for enhanced asset context. Scalable ingestion: Uses Tenable Export APIs to retrieve data in chunks, ensuring high performance for large-scale environments. Flexible lookups: A new Lookup Strategy field enables independent configuration of CI Lookup or Product Model settings for each integration. Broad compatibility: Fully compatible with ServiceNow’s Zurich, Yokohama, Washington, and Xanadu releases. For more details, read the ServiceNow User Guide and visit the ServiceNow Store for the appropriate Tenable apps for ServiceNow. Tenable Plugin for Jira On-premises v11.0.0 Tenable has released version 11.0.0 of the Tenable Plug-in for Jira (On-Prem), adding full support for Jira 11.x Data Center environments. This update modernizes the tech stack to streamline vulnerability remediation workflows. Automatically synchronize findings from Tenable Vulnerability Management, Security Center, and Web App Scanning directly into Jira tickets. Please note: This version is not backward compatible with Jira versions earlier than 11.x; users on Jira 9.x or 10.x must upgrade their Jira environment to use this plugin. For more information, please read the Tenable Documentation and visit Atlassian Marketplace to download the newest versions. Tenable Connect The Tenable Connect Resource Center expansion now better supports your Tenable journey! Look for the question mark in the bottom right-hand corner of any Tenable Connect page for quick access to submit feature requests, and find essential onboarding materials and info on upcoming office hours. Customer Office Hours These are recurring ask-me-anything sessions for Tenable Security Center, Tenable Vulnerability Management, Tenable Cloud Security, Tenable Identity Exposure, and Tenable OT Security. Time-zone-appropriate sessions are available for the Americas, Europe (including the Middle East and Africa), and Asia Pacific (APJ). Learn more and register here. Tenable Webinars See all upcoming live and on-demand webinars here. Tenable Research Research Security Operations blog posts Subscribe to the Research team blog posts here. I pretended to be an AI agent on Moltbook, so you don’t have to LookOut: Discovering RCE and internal access on Looker (Google Cloud & On-prem) From Clawdbot to Moltbot to OpenClaw: Security experts detail critical vulnerabilities and 6 immediate hardening steps for the viral AI agent Tenable discovers SSRF vulnerability in Java TLS handshakes that creates DoS risk Research release highlights Improvements to live kernel patching detection: Tenable has improved the logic used to detect live-patched kernels to include the running kernel to support KernelCare for Alma Linux, CentOS, CentOS Stream, Fedora, Oracle Linux, Red Hat Linux, and Ubuntu Linux. Backported vulnerability detection improvements: Banners that indicate a Linux distribution will be considered backported by default. Content coverage highlights Almost 15,000 new published vulnerability plugins. More than 38 new audits were delivered to customers. Read Tenable documentation.
