Component Installs Require Paranoid Checks
Summary With this update, products that are deemed to be components of another application, will now require the scan to be run in paranoid mode to trigger generic vulnerability detection plugins. In this context, “generic vulnerability detection plugins” refers to plugins that cover advisories published by the component vendor (e.g., plugin ID 242325, SQLite < 3.50.2 Memory Corruption) rather than the operating system or “parent” application that distributes the component, either as a part of the operating system or a dependent tool of the parent application. Overview Tenable covers software that can be either installed as base level software, or be included as component software of a larger product installation. Base level software can be updated without any impact to the base product functionality. Component software is typically updated as part of the vendor update for the larger packaged product, and the individual components are not updatable. Non-paranoid scans will report base software vulnerabilities that are actionable. Paranoid scans will report on base software vulnerabilities as well component software vulnerabilities that are not actionable, but still package a potentially vulnerable version of the component. To enhance the accuracy of our vulnerability detection and provide users with greater control over scan results, we are implementing an update affecting how we flag vulnerabilities in software components. Our detection plugins for OpenSSL, Curl, LibCurl, Apache HTTPD, Apache Tomcat, SQLite, PHP, Python packages and Node.js modules can now identify when these packages are installed as components of another parent application (e.g., SQLite bundled with Trend Micro’s Deep Security Agent), rather than as standalone installs. Key Changes: Non-Paranoid Scans: Scans running in the default mode will no longer flag generic vulnerability detection plugins for these component installs. This is because vulnerabilities in components generally cannot be patched directly; users must wait for the parent application's vendor to issue an update. OS Vendor Advisories Unaffected: This change does not affect plugins for OS vendor security advisories that cover the same vulnerabilities (e.g., plugin ID 243452, RHEL 9 : sqlite (RHSA-2025:12522)). Paranoid Scans: For scans running in paranoid mode, generic vulnerability detection plugins will still trigger for component installs if the detected version is lower than the expected fixed version. Expected Impact: Customers running non-paranoid scans should anticipate seeing a reduction in potential vulnerability findings for OpenSSL, Curl, LibCurl, Apache HTTPD, Apache Tomcat, SQLite, PHP, Python packages and Node.js modules that are installed as components. Technical Details: The changes are entirely contained within two shared libraries, vcf.inc and vdf.inc, utilized by the affected plugins. This update impacts approximately 750 plugins specific to OpenSSL, Curl, LibCurl, Apache HTTPD, Apache Tomcat, and SQLite. Targeted Release Date: TBD
Research Release Highlight - Backported Vulnerability Detection Improvements
Summary Backporting is the practice of using parts of a newer version of software to patch previous versions of the same software, most commonly to resolve security issues that also affect previous versions. For example, if a vulnerability is patched in version 2.0 of a piece of software, but version 1.0 is also affected by the same security hole, the changes are also provided as a patch to version 1.0 to ensure it remains secure. Tenable Research identifies backported software installs based on the server banners that the service returns. Previously, when a backported install was detected during a non-paranoid scan, downstream vulnerability plugins would not report the install as vulnerable. During a paranoid scan, vulnerability plugins would act upon the version returned in the banner and would flag if a vulnerable version was installed. Exact details of this process were outlined in this article. This approach was false positive prone and was difficult to maintain accurately due to inconsistent & untimely information from vendors detailing their backported fixes. Change As discussed in the above article, Tenable Research previously maintained a list of known backported banners. If a delta existed between the release of a backported fix & an update made by Tenable Research, a false positive result may have occurred in scans during this time. Following this change, any banners which indicate the software is packaged by a Linux distribution will be deemed to be backported by default. These types of banners typically follow the format of <product>/<version> (<Operating System>) ( E.g., Apache/1.2.3 (Ubuntu) ). Impact During non-paranoid scans, customers can expect improved coverage for products which contain backport fixes that are detected remotely. As a result of this, a reduction in false positives being reported is also expected. Enabling paranoia in a scan configuration will continue to cause backported installs to be treated as regular installs by vulnerability checks. For more accurate vulnerability checks which don’t rely upon the content in a server banner, customers can leverage credentialed or agent-based local checks. Target Release Date January 22, 2026
CyberArk for Palo Alto Networks PAN-OS and F5
Summary Tenable is pleased to announce that customers can now use CyberArk for privilege access management with both the Palo Alto Networks PAN-OS and F5 credentials. Scope Customers utilizing Tenable Vulnerability Management and Nessus Manager now have the capability to configure vulnerability scans with the PAN-OS credential utilizing CyberArk as an authentication method. Similarly to PAN-OS, the F5 credential has also been updated with CyberArk as an option for providing authentication credentials for compliance checks scans. Supported PAM Integration in this Release: CyberArk Plugins The below integration plugins provide essential information for validating the successful acquisition of authentication credentials from CyberArk by both the F5 and PAN-OS integrations. Integration Plugins Integration Status Debugging Log Report Impact Customers will now see CyberArk as credential PAM options within the F5 and Palo Alto Networks PAN-OS credentials. For any issues related to the use of PAM authentication with F5, please refer to the new log in the Debugging Log Report. Example - If using F5 with CyberArk support, the file will display as “f5_settings.nbin~CyberArk”. For any issues related to the use of PAM authentication with Palo Alto Networks PAN-OS, please refer to the new log in the Debugging Log Report. Example - If using F5 with CyberArk support, the file will display as “palo_alto_settings.nasl~CyberArk” Release Date January 21, 2026 for Tenable VM and Nessus TBD: Tenable Security CenterSNMPv3 for CyberArk and HashiCorp Vault
Summary Tenable is pleased to announce the addition of SNMPv3 credentials for our CyberArk and HashiCorp Vault integrations. Scope Customers utilizing Tenable Vulnerability Management and Nessus Manager now have the capability to configure vulnerability scans with SNMPv3 credentials for our CyberArk and HashiCorp Vault integrations. This option is situated under the "Host" category within the credentials tab of either the CyberArk or HashiCorp Vault Integration. Detailed information about the integration configurations can be found within our integration documentation pages for CyberArk and HashiCorp Vault. Supported PAM Integrations in this Release: CyberArk HashiCorp Vault Plugins The following integration plugins contain information that is essential for validation whether the integration successfully obtained a credential for use in SNMPv3 authentication. Integration Plugins Integration Status Debugging Log Report Impact Customers will now see CyberArk and HashiCorp Vault as credential PAM options within the SNMPv3 authentication credentials. For any issues related to the use of PAM authentication with SNMPv3, please refer to the new log in the Debugging Log Report. Example: If using SNMPv3 with CyberArk support, the file will display as “snmp_settings.nasl~CyberArk”. Release Date January 7th, 2026 for Tenable VM and Nessus TBD: Tenable Security Center
Research Release Highlight - SSH Session Reuse
Summary Nessus scan will support an opt-in feature to reuse SSH sessions during a scan where possible when running Nessus versions 10.9.0 and greater. This update was made in response to numerous customer requests for reducing the number of new SSH connections established during remote network scans and the associated increase in network traffic. Change A new scan configuration template option will be available for customers to actively enable the [Reuse SSH connections] configuration in their scan policies in Advanced Settings under Advanced Performance Options. Customers can return to the classic SSH connection functionality by changing [Reuse SSH connections] to the default “off” setting in their scan policies. Customers must be running a version of Nessus 10.9.0 or greater that supports this feature and have a Plugin Feed that displays the scan configuration policy user interface and NASL plugin set with the SSH session reuse functionality. Impact Customers should see a significant decrease in the total number of SSH sessions established during a Nessus scan as well as a reduction in load on Enterprise authorization, access, and accounting (AAA) tooling such as RADIUS servers and other connection management services. There should be no difference in scan results between scans that leverage SSH Session Reuse and scans that do not. If customers experience any such issues, the feature can easily be toggled off to return SSH connections during scans to the classic connection functionality. Target Release Date January 15, 2026Improved Resource Management Control
Summary Improved resource management control for plugins leveraging Windows Management Instrumentation (WMI) on Nessus Agent 11.1.0 or higher. Impact Customers with Nessus Agent 11.1.0 and later versions will have the ability to granularly control the CPU resources consumed during scans. This update ensures that plugins respect the resource usage setting selected during scan configuration by launching commands as children of the Nessus Agent, rather than invoking them via WMI. The release of these plugins will continue through January, with a phased approach over three weeks. The first release will be January 13th, the second January 20th, and the final planned plugin update on January 27th. Target Release Date Phase 1 plugin set: January 13, 2025 Phase 2 plugin set: January 20, 2025 Phase 3 plugin set: January 27, 2025Distinct Agent Plugin Databases for RPM-Based Distributions
Summary Tenable will now provide separate agent plugin databases for RPM-based Linux distributions. Impact Historically, the majority of plugins for RPM-based Linux distributions have all been distributed via a single artifact. Starting with Nessus Agent 11.1.0, Tenable will now publish separate artifacts based on the following plugin families: Alma Linux Local Security Checks CentOS Local Security Checks Miracle Linux Local Security Checks Oracle Linux Local Security Checks Red Hat Enterprise Linux Local Security Checks Rocky Linux Local Security Checks As a result, customers will see a reduction in the overall size of the agent database (15-31% reduction at rest, 7-14% downloaded), directly leading to smaller updates and reduced resource consumption during the update process. This improvement will be available to all customers using Agent 11.1.0 or later versions. Target Release Date January 13, 2026Research Highlight - New Plugin Family: Miracle Linux Local Security Checks
Summary Tenable will now provide vulnerability check plugins for Miracle Linux. Impact Customers with Miracle Linux systems in their environments will be able to scan them for vulnerabilities. These plugins will belong to the “Miracle Linux Local Security Checks” family. At initial release, there will be approximately 1,500 new plugins for Miracle Linux. Use of these plugins will require Agent 11.1.0 and above. Target Release Date January 13, 2026Cisco Meraki API Host Guidance
Summary Tenable is announcing changes to our documentation for the Cisco Meraki API integration. Customers using a “unique” host in the “Cisco Meraki Host” field of the credential should use “api.meraki.com”, or a region-specific instead if applicable. Please refer to the documentation for full guidance. Tenable and Cisco Meraki Integration Guide Impact Customers using the Cisco Meraki API integration are encouraged to check their configurations and update them accordingly. This change in guidance addresses cases where some customers were experiencing HTTP 308 redirects, resulting in integration failures. This is also closely related to cases where customers were experiencing HTTP 403 errors, which has been addressed by changes in the Cisco Meraki API Web Application Firewall (WAF). Release Date Dec 15th, 2025
Tenable Post-Quantum Cryptography Inventory Support
Summary The advent of quantum computing presents a significant threat to current cryptographic algorithms. Organizations worldwide are beginning the critical transition to post-quantum cryptography (PQC) resistant algorithms to ensure long-term data security. Government mandates, such as the U.S. National Security Memorandum 10 (NSM-10), outlines deadlines for PQC migration and specific actions agencies must take to migrate vulnerable systems. Our PQC support is designed to help customers inventory use of TLS and SSH quantum-resistant and vulnerable algorithms within their infrastructure using remote Nessus-based scans. Cipher Inventory and Reporting Post-Quantum Cipher Plugins Two remote-based scan informational reporting plugins for TLS and SSH protocols inform customers of their transition posture according to NIST Post-Quantum Encryption Standards. Services Using Post Quantum Cryptography: Reports on services equipped with at least one post-quantum cipher. It will specify which post-quantum ciphers were discovered, reporting by port and protocol. Services Not Using Post Quantum Cryptography: Reports on services that support no post-quantum ciphers. These plugins will be enabled by default and included in existing scans. Cryptographic Inventory Plugin Reporting To enable a JSON-based inventory of each target by service and cipher, enable through either a preference on your Advanced Network Scan or by running the Cryptographic Inventory scan template. These preferences will initially be supported in Nessus and Tenable Vulnerability Management. They are planned to be added to Tenable Security Center at a later date. Warning: Enabling this preference through the Advanced Network Scan is expected to increase the overall size of the plugin output per target and resulting Nessus database size. If you do not need to produce this inventory at all or on your regular scan cadence, it’s recommended to instead run the Cryptographic Inventory scan template to decrease the potential impact to your normal scan results. Options to Enable Inventory Reporting Advanced Scan Preference Post Quantum Cryptography Scan Template Cryptographic Inventory Plugin Details The plugin enabled with the preference or scan template is an information plugin called Target Cipher Inventory. Within the output of this plugin, you will find a JSON structure containing the TLS and SSH inventories for the scanned target. You can export this inventory based on plugin output using the Tenable API if needed. For TLS, the structure contains: Attribute Definition Encaps Protocol encapsulation employed such as TLSv1, TLSv2, TLSv3 Port Port used for TLS communication Curve Group Encryption method Ciphersuite Algorithm used to secure the TLS connection For SSH, the structure contains: Attribute Definition Proto Protocol of SSH Port Port used for SSH communication Name Algorithm used to secure the protocol Type Use of the named algorithm such as “message auth” Release Date Tenable Vulnerability Management and Tenable Nessus: December 8, 2025 Tenable Security Center: - December 8, 2025 for the informational plugins - Cryptographic Inventory scan template release to be determined
