Component Installs Require Paranoid Checks (DEPRECATED)
Update - March 4, 2026 After considering customer feedback, we. have decided to re-evaluate these changes and come up with a better way of handling Component installs. For the latest information, please refer to the new release highlight: Improvement: Handling Component Installs for Vulnerability Assessment Summary With this update, products that are deemed to be components of another application, will now require the scan to be run in paranoid mode to trigger generic vulnerability detection plugins. In this context, “generic vulnerability detection plugins” refers to plugins that cover advisories published by the component vendor (e.g., plugin ID 242325, SQLite < 3.50.2 Memory Corruption) rather than the operating system or “parent” application that distributes the component, either as a part of the operating system or a dependent tool of the parent application. Overview Tenable covers software that can be either installed as base level software, or be included as component software of a larger product installation. Base level software can be updated without any impact to the base product functionality. Component software is typically updated as part of the vendor update for the larger packaged product, and the individual components are not updatable. Non-paranoid scans will report base software vulnerabilities that are actionable. Paranoid scans will report on base software vulnerabilities as well component software vulnerabilities that are not actionable, but still package a potentially vulnerable version of the component. To enhance the accuracy of our vulnerability detection and provide users with greater control over scan results, we are implementing an update affecting how we flag vulnerabilities in software components. Our detection plugins for OpenSSL, Curl, LibCurl, Apache HTTPD, Apache Tomcat, SQLite, PHP, Python packages and Node.js modules can now identify when these packages are installed as components of another parent application (e.g., SQLite bundled with Trend Micro’s Deep Security Agent), rather than as standalone installs. Key Changes: Non-Paranoid Scans: Scans running in the default mode will no longer flag generic vulnerability detection plugins for these component installs. This is because vulnerabilities in components generally cannot be patched directly; users must wait for the parent application's vendor to issue an update. OS Vendor Advisories Unaffected: This change does not affect plugins for OS vendor security advisories that cover the same vulnerabilities (e.g., plugin ID 243452, RHEL 9 : sqlite (RHSA-2025:12522)). Paranoid Scans: For scans running in paranoid mode, generic vulnerability detection plugins will still trigger for component installs if the detected version is lower than the expected fixed version. Expected Impact: Customers running non-paranoid scans should anticipate seeing a reduction in potential vulnerability findings for OpenSSL, Curl, LibCurl, Apache HTTPD, Apache Tomcat, SQLite, PHP, Python packages and Node.js modules that are installed as components. Technical Details: The changes are entirely contained within two shared libraries, vcf.inc and vdf.inc, utilized by the affected plugins. This update impacts approximately 750 plugins specific to OpenSSL, Curl, LibCurl, Apache HTTPD, Apache Tomcat, and SQLite. Targeted Release Date: Friday, February 6, 2026Improvement: Handling Component Installs for Vulnerability Assessment
Background On Friday, February 6, 2026, Tenable Research published a plugin update that changed the way component installs are assessed for vulnerabilities. Those changes are outlined in a previous release highlight: Component Installs Require Paranoid Checks, This update essentially reverts this change, while adding new functionality to allow users to choose whether or not they want component installs assessed for vulnerabilities. Component installs are no longer influenced by scan paranoia settings. What are “Component Installs”? Software components, such as applications or language modules/libraries, are installed and managed by a primary "parent" package or application. The crucial point is that these components often cannot be updated individually. Instead, their vulnerability assessment and upgrade are entirely dependent on an update of the parent package. For instance, the SQLite database component is installed as part of the Trend Micro Deep Security Agent and is updated only when the Agent itself is updated. Nessus uses several factors to determine if a detected product is a component, or a standalone installation, including: Was the product installed by a package manager? These products are not considered components, as they are managed by the package manager and not a “parent” application Is the component a “language library”, i.e. a library or module used by the interpreter of a programming language like Python or Node.js? These enumerated libraries are marked as components by default. Does the product reside in a directory that is recognized for installations that are not component-based? Changes By default, component installs are once again assessed for vulnerabilities, as was the case prior to the release of the aforementioned update. If users wish to turn this setting off, so that component installs will not be assessed by generic vulnerability detection plugins, they can do so via the newly created scan preference. The end result of this change should be that fewer “false positives”, i.e. reported vulnerabilities for components that are “owned” by another application, are shown in scan results. Components with vulnerabilities that cannot be addressed independently of the “parent” application will not show in scan results. However, some customers have expressed a desire to see these vulnerabilities in their scan results anyway, to ensure full awareness of the risk profile of every application in their environment. This is still possible through the updated scan configuration settings. To modify this setting in your scan policy, go to Settings > Assessment > Accuracy > Override Normal Accuracy > Assess component installs for potential vulnerabilities. This setting is ON (checkbox is ticked) by default, so users must enable the Override Normal Accuracy checkbox (which is OFF / unchecked by default) if they wish to disable the setting and ensure that component installs are not assessed by generic vulnerability detection plugins in this scan. Please note that this update makes no other changes to the existing paranoia logic, outside of what is described above. For now, “Managed”, “Managed by OS” and “Backported” installs are still controlled by the Show/Avoid potential false alarms radio button. How can I tell if the detected install is a component or not? In addition to the above, we have also updated the relevant detection plugins so they will show if the component flag is set or not. At present, this includes detection plugins for OpenSSL, Curl, LibCurl, Apache HTTPD, Apache Tomcat, SQLite, Python Packages, Node.js modules and, soon to follow, Ruby and Nuget libraries. Using plugin ID 174788, SQLite Detection (Windows), here is a before and after example of the expected plugin output. Before: After: Expected Impact With the new default setting in place, users should anticipate an increase in vulnerability findings for the products in scope, returning to a level similar to what was observed before the first update. If users do not wish to surface these additional potential vulnerabilities, they should disable the "Assess component installs for potential vulnerabilities” setting. If the new scan preference is disabled, the volume of findings will remain consistent with current levels, when scanning with normal accuracy (paranoia) settings. Affected Plugins 12288, global_settings.nasl (updated to support the new scan policy preference) Any plugin that operates downstream of those in the list below: SQLite: 174788 - sqlite_nix_installed.nasl 171077 - sqlite_win_installed.nasl OpenSSL: 168007 - openssl_nix_installed.nasl 168149 - openssl_win_installed.nasl Curl: 182774 - curl_nix_installed.nasl 171860 - curl_win_installed.nasl LibCurl: 182848 - libcurl_nix_installed.nasl Apache HTTPD: 141394 - apache_http_server_nix_installed.nasl 141262 - apache_httpd_win_installed.nasl Apache Tomcat: 130175 - apache_tomcat_nix_installed.nasl 130590 - tomcat_win_installed.nasl Python Packages: 164122 - python_packages_installed_nix.nasl 139241 - python_win_installed.nasl Node.js Modules: 178772 - nodejs_modules_linux_installed.nasl 179440 - nodejs_modules_mac_installed.nasl 200172 - nodejs_modules_win_installed.nasl Targeted Release Date Tenable Nessus and Vulnerability Management: Monday, March 9, 2026 (ETA 22:30 Eastern Standard Time) Tenable Security Center: Monday, March 16, 2026Overview of Callbacks in Log4j Remote Detection Plugins The...
Overview of Callbacks in Log4j Remote Detection Plugins The following is an overview of callbacks in Tenable plugins for Log4Shell that perform remote detection 155998, 156014, 156016, 156017, 156035, 156056, 156115, 156132, 156157, 156158, 156162, 156166, 156197, 156232, 156256, 156257, 156258, 156375, 156445, 156559, and 156669. A HTTP request is sent by the scanner to the target being scanned with a benign payload containing a unique token. The target, if vulnerable, will act on the payload. Tenable tracks the target’s action on the payload via a callback to our hosted environment (plugins 156014, 156016, 156017, 156035, 156056, 156115, 156132, 156157, 156158, 156162, 156166,156197, 156232, 156256, 156257, 156258, 156375, 156445, 156559, and 156669) based on the unique token that was embedded in the initial request or via the LDAP connection callback to the scanner for plugin 155998. The callback is needed given the nature of the vulnerability as execution of the payload happens on the target being scanned. In plugin 155998, the callback happens to the scanner. This is the reason the plugin is not supported on Tenable.io cloud scanners In plugins 156014, 156016, 156017, 156035, 156056, 156115, 156132, 156157, 156158, 156162, 156166, 156197, 156232, 156256, 156257, 156258, 156375, 156445, 156559, and 156669 as part of execution of the payload, the target tries to resolve a domain owned by Tenable. While resolving the domain, Tenable is able to see the unique token that was sent in the initial request and thereby can track the callback. These plugins come with the major benefit that credentials are not required for scanning. However, the callbacks need to be successful for the plugin to be able to identify the exposure. Hence, communication between the target being scanned and the callback server must not be interrupted by intermediary devices. For more details: https://community.tenable.com/s/feed/0D53a00008E3hKzCAJ https://www.tenable.com/blog/cve-2021-44228-proof-of-concept-for-critical-apache-log4j-remote-code-execution-vulnerabilityVulnerability Scanning Container Directory Exclusion Summary
Vulnerability Scanning Container Directory Exclusion Summary Directories that store container image layers will be excluded by default from vulnerability scanning for Tenable Vulnerability Management, Security Center and Nessus. The directories that will be excluded are those configured for container storage by the container management solution. Docker: The "Docker Root Dir:" as returned by the "docker info" command. This is /var/lib/docker by default. Podman: The "graphRoot:" as returned by the "podman system info" command. This defaults to /var/lib/containers/storage. containerd: The "root =" directory as returned by the "containerd config dump" and "containerd config default commands. This location is /var/lib/containers/storage by default. CRI-O: The "storage graph root:" as returned by running "crio status info". This location is /var/lib/containers/storage by default. What is the impact? Vulnerabilities previously detected as a result of scanning these directories will become mitigated on the next scan and findings not returned in future scans. These findings are a result of examining the container image layers on the filesystem. The container may not necessarily be running and represent risk to your organization and customers generally consider these results as false positives since they are managed Docker deployments. Tenable Cloud Security is designed to secure container images and provide pre-deployment validation. Recursively scanning these directories is a resource and time consuming process. The exclusion of the directories may also result in decreased scan times. Can I override the change? You could add an Include Filepath rule to your scan configuration in order to override the default exclusion behavior. This may be found under the Scan Policy Advanced Options. A note of caution that overriding the default behavior could affect scan performance or give results that are unable to be remediated since within a managed container. In order to include a directory that is automatically excluded, the user include filepath has to match the excluded directly exactly. Example: If your Docker configuration uses /var/lib/docker for container storage you would add /var/lib/docker to your user filepath inclusions. Adding a more or less specific location will have no effect. What are the affected plugins? At the time of this release highlight publication, the following plugins are leveraging find: 142023 - Apache Cassandra Installed (Linux) 133766 - Apache Maven Installed (Linux / Unix) 135172 - Oracle NoSQL Database Installed (Linux) 117706 - MagniComp SysInfo Installed (Linux/UNIX) 111679 - FasterXML Jackson Databind Detection for Linux/UNIX 112063 - Kubernetes Installed (Linux) 136340 - nginx Installed (Linux/UNIX) 131566 - Atlassian Jira Installed (Unix / Linux) 147817 - Java Detection and Identification (Linux / Unix) 132771 - Palo Alto Cortex XSOAR Installed (Unix / Linux) 132872 - Foxit Reader Installed (Linux) 174788 - SQLite Local Detection (Linux) 151883 - Libgcrypt Installed (Linux/UNIX) 99671 - Apache Struts Detection for Linux/UNIX 156000 - Apache Log4j Installed (Linux / Unix) 141394 - Apache HTTP Server Installed (Linux) 71642 - Oracle Installed Software Enumeration (Linux / Unix) 156551 - Oracle MySQL Enterprise Monitor Installed (macOS) 124276 - Oracle Tuxedo Installed (Linux/UNIX) 73913 - Oracle WebLogic Server Detection 133962 - Sophos Anti-Virus Installed (Linux) 186361 - VMWare Tools or Open VM Tools Installed (Linux) 187057 - OwnCloud OwnCloud Installed (Linux) 70349 - Adobe Acrobat Installed (Mac OS X) 72202 - JBoss Detection 147022 - SAP Adaptive Server Enterprise (ASE) Installed (Linux) 163488 - Terraform Configuration Detection for Linux/UNIX 77028 - IBM Installation Manager Detection (Linux / Unix) 145032 - IBM WebSphere eXtreme Scale (Linux) 144633 - IBM MQ Server and Client Installed (Linux) 136341 - Dell EMC Data Protection Central Installed (Linux) 133964 - SELinux Status Check 159273 - Dockerfile Detection for Linux/UNIX 174164 - Google Protobuf Go Module Installed (Linux/UNIX) 158567 - Citrix Workspace App Installed (nix) 55420 - Adobe Reader Installed (Mac OS X) Target Release Date April 30, 2025Improved Printer Fingerprinting
Summary This document addresses an issue where network printers generate unnecessary prints when scanned, even with the "Don't Scan Printers" setting enabled. The fix involves improving the SNMP identification process for printers by falling back to default community strings and ports if an incorrect community string is initially configured. Background Currently, if a customer configures an incorrect SNMP v1/v2(c) community string for a device, Plugin ID 11933 / "Do not scan printers" fails to revert to using well-known, default SNMP v1/v2(c) community strings and ports, unlike other plugins. This failure can prevent accurate identification of network printers, leading to them being scanned and in some cases, may inadvertently queue print jobs on printers Impact The following assumes the user has enabled the "Do not scan printers" setting in their scan policy and the network printer is correctly identified as such: Potential Decrease in Reported Vulnerabilities: Network printers will be less heavily scanned, potentially leading to a decrease in reported vulnerabilities related to these devices. Slight Increase in Packet Traffic: There will be an increase of approximately three packets per host as the system attempts fallback SNMP connections. Printers Marked as "Dead": Network printers that are successfully identified via SNMP will be marked as "dead" and will not be scanned further. This change aims to enhance the effectiveness of identifying network printers using SNMP, thereby reducing unnecessary and potentially damaging traffic directed at these devices. The resulting decrease in reported vulnerabilities is an expected outcome, as identified printers will no longer be subjected to heavy scanning. Users can continue to scan network printers by enabling the "Scan Network Printers" setting under “Host Discovery -> Fragile Devices -> Scan Network Printers” in the scan policy. This ensures that printers are scanned and not marked as dead, irrespective of fingerprinting. Affected Plugins 11933 ( "Do not scan printers") Affected Scan Policy Settings Discovery -> Host Discovery -> Fragile Devices -> Scan Network Printers Tenable Security Center Tenable Vulnerability Management Tenable Nessus Target Release Date: Monday, September 15, 2025Tenable Research is providing the following supporting...
Tenable Research is providing the following supporting information about the 31 NASL detection plugins and two WAS plugin recently released in response to a critical vulnerability reported in Log4j (Log4Shell). As a reminder, it is recommended that thorough_tests are enabled for all scans using these CVE-2021-44228, CVE-2021-45046, CVE-2021-4104, and CVE-2021-45105 plugins. NASL plugins 156183 Apache Log4j 2.x < 2.17.0 DoS Version check for known vuln Log4j versions related to CVE-2021-45105 in Windows, Unix and Linux systems 156057 Apache Log4j 2.x < 2.16.0 Version check for known vuln Log4j versions related to CVE-2021-45046 in Windows, Unix and Linux systems 156165 Apache Log4j 2.x < 2.16.0 RCE Version check for known vuln Log4j versions related to CVE-2021-45046 in MacOS systems 156164 Apache Log4Shell CVE-2021-45046 Bypass Remote Code Execution - (Direct Check HTTP) Direct Check compatible with Tenable.io Cloud Scanners and restrictive networks Delivers jndi:ldap crafted payloads including Session, JSession and PHPSession into the HTTP headers and then tracks the injection via DNS when the callback is made. Callback is needed given the nature of the vulnerability wherein the target / victim connects back to the host sending the original request and the host is vulnerable if the callback happens This plugin uses DNS (default port 53) for network communication. The following Apache Log4Shell CVE-2021-44228 Direct Checks share common techniques applied on different ports and protocols. They all share the following attributes: Direct Checks compatible with Tenable.io Cloud Scanners and restrictive networks Callback is needed given the nature of the vulnerability wherein the target / victim connects back to the host sending the original request and the host is vulnerable if the callback happens These plugins DNS (default port 53) for network communication. Delivers jndi:ldap crafted header script to select ports on a scan target and then tracks the injection via DNS when the callback is made CVE-2021-44228 direct check not requiring authentication 156669 Apache Log4Shell RCE detection via callback correlation (Direct Check - MSRPC) 156559 Apache Log4Shell RCE detection via callback correlation (Direct Check - RPCBIND) 156445 Apache Log4Shell RCE detection via callback correlation (Direct Check - PPTP) 156375 Apache Log4Shell RCE detection via callback correlation (Direct Check - UPnP) 156258 Apache Log4Shell RCE detection via callback correlation (Direct Check - NTP) 156257 Apache Log4Shell RCE detection via callback correlation (Direct Check - DNS) 156256 Apache Log4Shell RCE detection via callback correlation (Direct Check - SNMP) 156232 Apache Log4Shell RCE detection via callback correlation (Direct Check - SMB) 156197 Apache Log4Shell RCE detection via callback correlation (Direct Check - NetBIOS) 156166 Apache Log4Shell RCE detection via callback correlation (Direct Check - SSH) 156162 Apache Log4Shell RCE detection via callback correlation (Direct Check - Telnet) 156158 Apache Log4Shell RCE detection via callback correlation (Direct Check - IMAP) 156157 Apache Log4Shell RCE detection via callback correlation (Direct Check - POP3) 156132 Apache Log4Shell RCE detection via callback correlation (Direct Check - SMTP) 156115 Apache Log4Shell RCE detection via callback correlation (Direct Check - FTP) 156056 Apache Log4Shell RCE detection via callback correlation (Direct Check - any open port) 156035 VMware vCenter Log4Shell (Direct Check HTTP) Delivers jndi:ldap crafted payloads into the HTTP header of VMWare vCenter applications installed on the remote host on a scan target and then tracks the injection via DNS when the callback is made 156017 Apache Log4Shell RCE detection via callback correlation (Direct Check - SIP) 156016 Apache Log4Shell RCE detection via Path Enumeration (Direct Check HTTP) 156014 Apache Log4Shell RCE detection via callback correlation (Direct Check HTTP) CVE-2021-44228 direct check not requiring authentication Direct Check compatible with Tenable.io Cloud Scanners and restrictive networks Injects payload into the HTTP headers and then tracks the injection via DNS when the callback is made Callback is needed given the nature of the vulnerability wherein the target / victim connects back to the host sending the original request and the host is vulnerable if the callback happens This plugin uses DNS (default port 53) for network communication. 155998 Apache Log4j Message Lookup Substitution RCE (Log4Shell) (Direct Check) CVE-2021-44228 direct check not requiring authentication Scanner sends jndi:ldap string to target and listens for LDAP BIND request from target It is not compatible with Tenable.io cloud scanners and may fail to return results in certain networks due to firewall rules or interference from other security devices. Callback is needed given the nature of the vulnerability wherein the target / victim connects back to the host sending the original request and the host is vulnerable if the callback happens This plugin uses ephemeral ports 50,000-60,000 for network communication 156001 Apache Log4j JAR Detection (Windows) Local Windows detection **recommend Thorough Tests** Checks running processes for Java instances running with Log4j in classpath and records the file paths Searches the file system for .jar files with known vuln Log4j filename matches (if thorough tests is enabled) 156000 Apache Log4j Installed (Unix) Local Linux detection Checks rpm packages for vulnerable Log4j matches (RedHat, Gentoo, SuSE, etc.) Search the file system paths for known vulnerable Log4j matches (if thorough tests is enabled) 155999 Apache Log4j < 2.15.0 Remote Code Execution Local Linux Detection (uses 156000) Version check for known vuln Log4j versions in Unix and Linux systems 156002 Apache Log4j < 2.15.0 Remote Code Execution Local Windows detection (uses 156001) Version check for known vuln Log4j versions in Windows systems 156032 EOL plugin for Log4j 1.x Apache Log4j version < 1.x End of Life / Unsupported Version Detection 156103 Apache Log4j 1.2 JMSAppender Remote Code Execution (CVE-2021-4104) The version of Apache Log4j on the remote host is 1.2. It is, therefore, affected by a remote code execution vulnerability when specifically configured to use JMSAppender. WAS plugins 113075- Apache Log4j Remote Code Execution (Log4Shell) CVE-2021-44228 direct check not requiring authentication Inject payload into the HTTP headers, POST/GET values, XML, JSON, cookies, etc. and then track the injection via DNS when the callback is made Callback is needed given the nature of the vulnerability wherein the target / victim connects back to the host sending the original request and the host is vulnerable if the callback happens 113076- Apache Log4j Remote Code Execution (Log4Shell) CVE-2021-44228 WAS Log4Shell file detection plugin Scan the web application directories for known vulnerable version of the Log4j installation file and flag the host if found
CyberArk Client Certificate Authentication Issue Summary...
CyberArk Client Certificate Authentication Issue Summary Tenable has discovered an issue with our CyberArk Integration and its Client Certificate Authentication to the CyberArk CCP/AIM Web Service API. Customers that have deployed the CyberArk CCP component on Windows Server 2022+ have experienced unsuccessful attempts authenticating to the CCP/AIM Web Service API using Client Certificate Authentication with our CyberArk Integration. This is due to an issue with Windows Internet Information Services (IIS) and certificate authentication over TLS 1.3 and HTTP/2. Change Customers using a Windows Server 2022+ to host their CyberArk CCP must disable TLS v1.3 and HTTP/2 on the IIS manager in order to successfully use Tenable’s CyberArk Integrations that support Client Certificate Authentication. The following Microsoft article describes the issue. https://techcommunity.microsoft.com/blog/iis-support-blog/windows-server-2022-iis-web-site-tls-1-3-does-not-work-with-client-certificate-a/4129738 Impact There are no changes to the integration. Release Date IMMEDIATEImprovement to Printer OS Fingerprinting
Updated: April 3, 2026 Summary Scanned printers will now have an OS artefact surfaced in their scan host metadata if the target has been identified as a printer when the “Scan Network Printers” policy option is disabled. This change will not cause any additional asset licenses to be consumed within Tenable VM or Tenable Security Center. Background Printers are notoriously unstable scan targets. Oftentimes, they can behave erratically when scanned, so some users prefer to avoid scanning them altogether. At present, there is a switch in the scan policies to prevent further scanning of a host when it's identified as a printer. To enable this setting, go to Settings -> Host Discovery -> Fragile devices - Scan Network Printers (Currently, this is a checkbox setting, default value “off”). With that said, how can the scanner know the target is a printer if it cannot be scanned? In reality, the scanner still performs very basic fingerprinting (usually via SNMP) in order to gather enough information to make an educated guess at the device type. When the scan target is thought to be a printer, it essentially gets marked as “Host/dead" in the scan KB. When this happens, the scanner will not perform any further active scanning. Changes With this update, the fingerprint used to identify the printer as such, will now be stored in the scan Knowledge Base (KB) so it can be processed by os_fingerprint2.nasl ("Post-scan OS Identification", plugin ID 83349) and surfaced as metadata in the scan result. The relevant policy setting located at Settings -> Host Discovery -> Fragile devices -> Scan Network Printers. With this update, the printer's OS information will now be surfaced if it is available, regardless of the selected value for this setting. Impact Users can now see the OS information for their printer devices that would have otherwise gone unreported if the scan is not configured to “Scan Network Printers”. As plugin ID 83349 generates no plugin output, only an “operating-system” tag will be added to the scan result (and stored in an exported .nessus file). This information will be visible only the in “Host/Asset Details” section of the Tenable product UI, i.e: Tenable Nessus: Scans -> [Folder] -> [Individual Scan Result] - > Host Details -> OS (sidebar) Tenable Vulnerability Management: Explore -> Assets -> [Asset] -> Details -> Operating System Scans -> Vulnerability Management Scans -> [Individual Scan Result] -> Scan Details -> Asset Details -> Operating System Tenable Security Center: Analysis -> IP Summary -> [IP address] -> System Information -> OS Scans -> Scan Results -> [Individual Scan Result] -> IP Summary -> [IP address] -> System Information -> OS Note, we expect this information to surface mainly in individual scan results. It would only be present in cumulative asset details if a licensed asset already exists for the target in question. This update will not cause additional assets to be created or consume any additional licenses. Affected Plugins 83349 - os_fingerprint2.nasl 11933 - dont_scan_printers.nasl 22481 - dont_scan_settings.nasl Targeted Release Date Wednesday, March 4, 2026Stop Choosing Between Simple and Powerful. Get Both with TPM 10.0
On January 22, we are thrilled to unveil Tenable Patch Management (TPM) 10.0. This update is a significant transformation of our patch product, designed to deliver the promise of modern, frictionless, and autonomous patching for everyone. We are officially retiring the "Express" vs. "Enterprise" distinction. Moving forward, TPM is a Single SKU model. Whether you need high-speed simplicity or deep granular control, you no longer have to choose. Every user now has access to the full power of the Tenable patching engine. TPM 10.0 reduces operational complexity, and focuses on the daily workflow of the administrator. Highlights of TPM 10.0 (SaaS & On-Premise) We’re moving away from executive ROI charts to focus on an Administrator-First interface. The new homepage prioritizes "Blind Spots" and "Delta Numbers," giving you an instant view of your unpatched gaps. A Simple Setup Wizard: A new 6-step onboarding guide replaces hours of manual setup, covering integration, device verification, and your first patching strategy in minutes. "What, When, & How" Strategy Builder Workflow: Build strategies and leverage Deployment Rings (formerly Waves) and automated Transitions (Success, Approval, or Delay) to control exactly how patches roll out. The Emergency Kit: A "Global Pause" button, instant rollback, and exception controls are now front-and-center on your dashboard. Single-Pane Visibility: The updated Monitoring & Deployments Dashboards offer a clear view of scheduled, in-progress, and finished deployments, allowing you to bypass approvals or skip ahead without menu-hopping. RBAC Enhancements (TPM On-Premise): Expanded Role-Based Access Control (RBAC) is now available for TPM On-Premise. New built-in security roles allow scoped access for specific locations (e.g., branch offices, testing labs) and read-only access for security audits. For the Power Users We haven’t removed the deep customization you love; we’ve just organized it. All advanced features like Intent Schema and Flex Controls have moved to the new Advanced Settings hub. This keeps the main interface clean for daily tasks while ensuring your "under-the-hood" configurations remain just one click away. Migration & Licensing: What It Means For You Customer Type What Happens on Jan 22? Action Required SaaS / Cloud Automatic upgrade to the v10 UI. None. Your subscription transitions at your next renewal. On-Premise Stay on your current UI until you choose to upgrade. Optional Upgrade: Contact us for a Zero-Dollar Exchange Order to unlock v10 features today. Get Started with These Resources To help you hit the ground running, we’ve attached two essential resources to this post: What's New in TPM 10.0 (PDF): A comprehensive feature guide, FAQ, and a navigation map to help you find your favorite v9 tools in the v10 interface. TPM 10.0 Video Walkthrough: Join Ahmad Maruf, Principal Product Manager of Tenable Patch Management for a deep dive into the new dashboard, wizard-driven onboarding, strategy creation, and emergency controls here. Your current product and strategies remain completely untouched and will continue to function as designed. Log in on January 22nd to explore the new dashboard, and experience the magic of simplicity combined with deep control. Happy Patching, Tenable Patch Product Management
January 2026 Tenable Product Newsletter
Greetings! Check out our January newsletter to learn about the latest product updates, research insights, and educational content — all to help you get more value from your Tenable solutions. Tenable One New Tenable One Connector | ORDR Bridge the gap between IT and OT. Connect Tenable One with ORDR to get a single view of your entire attack surface, showing exactly how a simple IT exposure can reach your critical operational technology. By treating IT and OT as a single, connected environment, you can better protect your uptime and ensure smooth and safe operations. Learn more >> Tenable Cloud Security Tenable named a Customers’ Choice in the 2025 Gartner® Peer Insights™ Voice of the Customer for Cloud-Native Application Protection Platforms (CNAPPs) We are excited to share that Tenable is named a Customers’ Choice in the 2025 Gartner® Peer Insights™ Voice of the Customer for Cloud-Native Application Protection Platforms (CNAPPs). In this report, Gartner Peer Insights provides a rigorous analysis of 1,664 reviews and ratings of 10 vendors in the CNAPP market. In the 18-month eligibility window, we received an average of 4.8 out of 5 stars for Tenable Cloud Security based on 71 reviews as of October 2025. We’re grateful to you, our customers. This kind of feedback tells us we're delivering on what matters most! Learn from your peers as you choose the best solution for your cloud security program. You can read the report here. Exclusions | Strategic risk management: Streamline exception handling with a new centralized framework. Define business scenarios to ignore non-actionable findings or adjust their severity using flexible conditions like tags and attributes. All legacy exceptions now migrate here for a single, auditable source of truth. Reports | Query-to-report automation: Transform any search in Explorer into a scheduled or on-demand report. Leverage a redesigned, full-screen reporting experience featuring live data previews and local timezone support to ensure stakeholders receive actionable data exactly when they need it. IAM | AWS ABAC and granular visibility: Permission evaluations now support AWS attribute-based access control (ABAC) for highly accurate least-privilege recommendations. Additionally, a new dedicated Access Level section in resource profiles replaces generic summaries with a detailed breakdown of permission categories. Projects | Scalable API automation: Manage high-volume environments with new GraphQL API support for Projects. Programmatically create, modify, or delete projects and role assignments to align security governance with rapid DevOps workflows. Data security | Precision classification: Enhance data discovery by using Regex to exclude known or irrelevant values from classification to ensure your data security findings focus on actual sensitive information while filtering out noise. View full cloud release notes Tenable Identity Exposure This month, we are focusing on removing deployment friction for indicators of attack (IoA). To maintain a high-velocity security posture, we have simplified the process of authorizing installation scripts within your existing EDR/AV environments. Frictionless IoA deployment: We’ve added three new parameters to the IoA installation script to ensure your security stack works in harmony. This enhancement accelerates time-to-protection by pre-authorizing deployment scripts and preventing false-positive blocks from security tools. Proactive authorization: Use OutputCertificate or GetSignatureToWhitelist to retrieve the Tenable certificate or script hash for immediate allowlisting. Controlled execution: The TimerInMinutes parameter allows you to delay installation, ensuring your environment has processed allowlist updates before the script runs. View full identity release notes By focusing on these specific parameters, your team can avoid the manual overhead of troubleshooting blocked installations and move directly to monitoring for identity-based threats. Tenable Vulnerability Management Streamline your Microsoft Patch Tuesday remediation Master the monthly operational challenge of Microsoft Patch Tuesday with the updated one-stop-shop dashboard. You can now balance critical deployments against user disruption with a comprehensive view of your organization's remediation status to quickly detect vulnerable devices and prioritize the most difficult issues. This update leverages three key advancements: Enhanced VPR analysis: Utilize the newest algorithm to focus on your most critical vulnerabilities. The enhanced analysis reduces your workload and offers greater explainability for risk scoring. Granular asset tracking: Leverage new software inventory attributes to distinctly analyze risk across operating systems versus applications and packages. Reboot detection: Instantly identify assets with applied patches that are vulnerable due to a pending reboot, so you can close security gaps completely. Download a new copy of this dashboard to access the new widgets and data visualizations. Nessus SSH Session Re-use feature added for credential scans Nessus now supports an opt-in feature to reuse SSH sessions during a scan when running Nessus version 10.9.0 or greater. Added in response to numerous requests from customers like you, this update will reduce the number of new SSH connections established during remote network scans and the associated increase in network traffic. Access more information in Tenable Research Release Highlights here. Tenable Security Center Action required: Preparing for upcoming VPR feed update Starting mid-January 2026, the Tenable Security Center feed will expand to support new Vulnerability Priority Rating (VPR) data. To prevent PHP memory exhaustion and ensure your daily updates continue seamlessly, you must take immediate action. Versions 6.5.1 – 6.7.2: Patch 202601.1 is now available. Applying this patch will automatically modify the PHP configuration to increase the memory limit. Versions prior to 6.5.1: Follow the instructions outlined here to modify the PHP configuration. Note: Consoles with less than 8 GB RAM may require a hardware resource update. In case you missed it: Tenable Security Center 6.7 is now available See your environment more clearly and act faster on what matters most. This release delivers a modern, intuitive UX that improves usability, scalability, and efficiency across your workflows. Explore – Assets (preview): Get a modern view of your assets with advanced filtering and improved navigation that helps you identify risks faster. Triggered agent scanning: Automate Tenable Agent scans based on defined conditions, so you can catch vulnerabilities sooner and respond with confidence. Credential verification scan policy: Quickly validate Windows and Unix credential pairs with a built-in template that confirms authentication success. Performance and reporting enhancements: Experience faster scan ingestion, faster reporting, and improved backend performance that keeps pace with your team. Before you upgrade: Tenable Security Center 6.7 supports upgrades from version 6.3.0 and later. The release updates hardware specifications. Systems below the new recommendations will still upgrade successfully, but performance may vary. Upgrade now and view the release notes for details. Tenable Patch Management Get the magic of simplicity and deep control On Jan. 22, your patching experience transforms into a single, unified powerhouse. You no longer have to choose between speed and granular control. You now have full access to our most robust engine designed for autonomous patching. We’ve streamlined your workflow to help you close security gaps faster: Set up in minutes, not hours, with the new 6-step onboarding wizard. Eliminate guesswork using the intuitive "What, When, & How" strategy builder. Act fast with front-and-center emergency controls like Global Pause. Rest assured, your current strategies remain untouched and will continue to function exactly as designed. Explore the new features. Tenable OT Security Now available: Tenable OT Security 4.5 This release delivers improved scalability for enterprise environments, enhanced power grid visibility, and new integrations across the Tenable One portfolio. Advanced dynamic tagging: Streamline prioritization and reporting with the ability to create rule-based groups and tags with multiple filters, including asset type, risk score, and criticality. Enhanced support for IEC 61850: Improve passive detection of intelligent electronic devices with comprehensive visibility across substation and power generation infrastructures. Unified SOC visibility: You can now directly view policy violations that Tenable OT Security detects, such as unauthorized access or failed logins, within Tenable Security Center dashboards and reports to bridge the gap between OT and the SOC. Expanded compliance mapping: Simplify how you measure and report against critical security frameworks with support for IEC 62443-3-3 and NIST-CSF in the Compliance Dashboard. Role-based access controls (RBAC): Tenable Enterprise Manager now enables admins to assign users to specific ICPs using user groups, so users only view the zones they’re authorized to see while inheriting ICP-level roles. Tenable Training and Product Education Introducing the Tenable Universal Education SKU Maximize your team’s expertise without the pressure of immediate decision-making. Tenable Universal Education SKUs streamline your procurement by consolidating all training needs into a single, flexible entitlement. You can secure your budget today and choose your specific product or certification path later as your security priorities evolve. This flexibility also applies to your existing Enrollment Codes, which you can now use for any applicable course. When you are ready to train, simply visit Tenable University, select your course from the eligible catalog, and apply your code to start learning. Tenable Webinars Tune in for product updates, demos, how-to advice and Q&A. See all upcoming live and on-demand webinars here. On-demand Escape the patching cycle. A guide to autonomous risk-based patching. Securing the future of AI in your enterprise. Policy frameworks that balance opportunity and oversight. Customer office hours These are recurring ask-me-anything sessions for Tenable Security Center, Tenable Vulnerability Management, Tenable Cloud Security, Tenable Identity Exposure and Tenable OT Security. Time-zone-appropriate sessions are available for the Americas, Europe (including the Middle East and Africa and Asia Pacific (APJ). Learn more and register here. Tenable Research Research Security Operations blog posts Subscribe to the Research team blog posts here. CVE-2025-64155: Exploit code released for critical Fortinet FortiSIEM command injection vulnerability Microsoft’s January 2026 Patch Tuesday addresses 113 CVEs (CVE-2026-20805) Research release highlights SSH Session Reuse: Opt-in to this feature to reduce the number of SSH connections made during remote network scans within Tenable Vulnerability Management and Nessus Miracle Linux Local Security Checks: Scan for Miracle Linux vulnerabilities using the newly released plugins. SNMPv3 for CyberArk and HashiCorp Vault: Choose to query the CyberArk or Hashicorp vaults using the SNMPv3 credentials. Content coverage highlights More than 4,700 new published vulnerability plugins. More than 60 new audits delivered to customers. Read Tenable documentation.
