2026.05¶

Features & Enhancements¶

Vulnerability Management Hub (VMH) & Pentest UX¶

• Added weakness alias badges within the Vulnerability Management Hub to improve identification and filtering of related weaknesses.
• Users can now search directly within the runner selection drop-down when launching operations, simplifying runner selection in large environments.
• Downloaded external pentest report ZIP files now use clearer naming conventions that reflect the associated test and included report files.

Rapid Response & Threat Coverage¶

• Added Rapid Response coverage for newly disclosed vulnerabilities affecting enterprise software platforms and web applications.
• Added Linux privilege escalation implant support for additional copy/fail privilege escalation techniques associated with CISA Known Exploited Vulnerabilities (KEVs).

Credential & Attack Path Enhancements¶

• Added support for NetBIOS domain names during Active Directory auditing workflows and secretsdump operations, improving credential validation coverage in complex Windows environments.

MSP & Asset Allocation Improvements¶

• MSP parent organizations can now view and manage contracted asset counts for subclients directly from the Asset Allocation interface.
• Added an asset lock status badge to improve visibility into temporary asset allocation restrictions.

New Attack Content¶

• Palo Alto PAN-OS User-ID Authentication Portal Buffer Overflow – CVE-2026-0300
  A critical buffer overflow in the PAN-OS User-ID Authentication Portal (Captive Portal) that allows unauthenticated remote code execution as root on affected PA-Series and VM-Series firewalls.

• Next.js Server-Side Request Forgery – CVE-2026-44578
  A server-side request forgery (SSRF) flaw in the Next.js WebSocket upgrade handler that allows unauthenticated attackers to proxy requests to internal services or cloud metadata endpoints.

• Drupal SQL Injection – CVE-2026-9082
  A critical SQL injection vulnerability in Drupal's database abstraction API that allows unauthenticated attackers to execute arbitrary SQL commands on systems using PostgreSQL databases.

• XWiki Platform Path Traversal – CVE-2026-23734
  A path traversal vulnerability in the XWiki Platform that could allow an attacker to bypass access controls and read unauthorized files or directories on the underlying system.

• Apache ActiveMQ Authentication Bypass – CVE-2026-40466
  An authentication bypass vulnerability in Apache ActiveMQ that could allow unauthorized actors to circumvent security controls and access the broker.

• Linux Privilege Escalation Added implant support for Linux copy/fail privilege escalation, which is now tracked as a CISA Known Exploited Vulnerability.

• NetBIOS Domain Name Support Added support for NetBIOS domain names and their use with secretsdump in Active Directory Audit operations.

Platform Performance & Stability¶

• Improved Vulnerability Management Hub reliability for environments with a large number of users and associated operations.
• Enhanced backend reliability in asset processing and host matching, to improve data consistency across large environments.
• Improved stale-asset detection logic, to strengthen asset health validation workflows over long periods.

Bug Fixes¶

• Fixed schedule picker validation issues affecting valid cron expressions containing comma-separated lists.
• Fixed a Ruckus SSH detection false positive that could incorrectly report successful credential validation.
• Fixed client-management console warnings in the portal UI.
• Fixed SSO Initiator URL population issues during SSO (single sign-on) configuration.
• Fixed missing SSO Test button and Initiator URL issues in the EU portal.
• Fixed the handling of failed basic-auth logins for SSO-only users.
• Fixed large user environments' improper updating of Vulnerability Management Hub data.
• Fixed host-matching edge cases that could incorrectly associate findings across operations.
• Fixed the Portal's color rendering of MFA (multi-factor authentication) screen text.