Skip to content

2025.12

Features & Enhancements

Vulnerability Management Hub (VMH)

  • Performance & Scale: Optimized "Group-by" logic for significant performance gains when handling large datasets.
  • Advanced Filtering & Sorting:
    • Added a new Downstream Impact Type filter to help prioritize weaknesses based on their potential reach.
    • Introduced the ability to sort the weakness series by IP address, Host, and Affected Entity.
    • Improved table-wide sorting and filtering persistence to ensure a smoother navigation experience.
  • Workflow Improvements:
    • Added a new user-selectable status: Closed, providing better lifecycle tracking for remediated issues.
    • Added a Notes pop-up for the "Group by Weakness ID" view, allowing users to quickly view or edit context without leaving the table.
    • Users can now undo a Status Update in VMH, reducing accidental data entry errors.

High Value Targeting (HVT) & Advanced Data Pilfering (ADP)

  • Enhanced Visibility: Updated the title copy for host and credential HVTs for better clarity and added distinct High-Value Targeting badges across the portal.
  • Federal Availability: HVT and ADP capabilities are now fully enabled for NodeZero Federal environments.

Active Directory (AD) Tripwires

  • Component Management: New portal UX flows streamline the update process for AD Tripwires components, including the AD Agent and Event Collector.
  • Performance & Security:
    • Improved security event query performance for faster threat detection.
    • Resolved a security event ID overflow issue and improved local state error handling.
    • Added the ability to archive deleted domains directly from the portal.

Platform & Usability Enhancements

  • NodeZero Federal Updates: In addition to HVT/ADP, NodeZero Federal now supports Cloud-Based Hash Cracking, Threat Informed Perspectives, and the Vulnerability Management Hub.
  • Vulnerability Risk Intelligence (VRI): Improved scanner integration with specific field mappings for Rapid7 and more descriptive error messages for invalid scanner file fields.
  • Schedule Resiliency: To prevent automation failures, schedules owned by a deleted user are now automatically reassigned to an administrator rather than being deleted.
  • Attack Path Visualization: The "Download PNG" feature now supports the export of highly complex attack paths.

New Attack Content

  • Gladinet CentreStack & Triofox: Added a Rapid Response test for a hard-coded cryptographic vulnerability that allows unauthenticated attackers to bypass authentication and achieve Local File Inclusion (LFI).
    • CVE-2025-14611: Gladinet CentreStack and Triofox use hardcoded AES cryptographic keys, allowing unauthenticated attackers to perform arbitrary local file inclusion and potentially gain full system compromise.
    • CVE-2025-12480: An improper access control vulnerability in Gladinet Triofox allows unauthenticated attackers to bypass authentication via HTTP Host header manipulation and execute arbitrary code with SYSTEM privileges.
  • xWiki: New test for a critical SQL injection vulnerability in the getdeleteddocuments.vm template, which could lead to full system compromise.
    • CVE-2025-32429: XWiki Platform contains a critical SQL injection vulnerability in the getdeleteddocuments.vm template, enabling remote attackers to execute arbitrary SQL commands without authentication.
  • React2Shell: Added detection for a critical unauthenticated Remote Code Execution (RCE) vulnerability in React Server Components, including specific logic to identify WAF bypass attempts.
    • CVE-2025-55182: Known as "React2Shell," this critical flaw in the React Server Components (RSC) Flight protocol allows unauthenticated attackers to achieve remote code execution through unsafe deserialization.
  • FreePBX Suite: Released a series of tests for critical vulnerabilities including authentication bypass, SQL injection, and arbitrary file upload leading to RCE.
    • CVE-2025-57819: Sangoma FreePBX versions 15, 16, and 17 are vulnerable to an authentication bypass and SQL injection that allows unauthenticated attackers to manipulate the database and execute remote code.
    • CVE-2025-66039: FreePBX Endpoint Manager contains an authentication bypass vulnerability when using "webserver" authentication, allowing attackers to gain administrative access by providing an arbitrary Authorization header.
    • CVE-2025-61675: FreePBX Endpoint Manager is affected by multiple authenticated SQL injection vulnerabilities in basestation and model configurations, allowing users with valid credentials to execute arbitrary queries.
    • CVE-2025-61678: FreePBX Endpoint Manager contains an authenticated arbitrary file upload vulnerability via the fwbrand parameter, which can be leveraged by a known user to upload a webshell for remote code execution.

Platform Performance & Stability

  • Compute Scaling: Improved hardware allocation logic for large-scale pentests to ensure consistent processing and prevent "stuck" operations.
  • Data Processing: Enhanced performance for Asset matching and Attack vector tracing algorithms, resulting in faster post-operation analysis.
  • External Request Logic: Refined internal pentest behavior to prevent unintended external metadata requests in AWS environments, specifically regarding AWS metadata service access.

Bug Fixes

  • Pentest Visibility: Fixed an issue where the Scheduled Insider Threat pentest type was missing from the overview page.
  • International Support: Resolved a provisioning bug for Tripwires accounts in non-English regions.
  • Comparison UX: Fixed a UI bug in the Internal Operation Compare view that hindered data analysis.
  • White Labeling: Removed the co-branding preview for child accounts to align