Skip to content

2025.04

Features & Enhancements

Targeted Tripwire Deployment

  • Tripwire customers can now launch custom jobs to deploy sensors on any in-scope asset—expanding beyond the default triggers of host compromise, domain compromise, or ransomware impact.
  • Jobs can be initiated from the Dashboard or Tripwires section, with deployment status visible in Job Details and Manage pages.
  • Job results and tripwire tables will automatically update upon refresh.

Platform & Usability Enhancements

  • Multi-tenant Client Management: MSPs can now move pentests between subclients, rename accounts, and reset passwords—streamlining client operations at scale.
  • Free Trial API Keys: Trial users can now generate API keys to test integrations and automation early in the evaluation process.
  • H3 CLI Enhancements: The CLI now supports environment variables for easier scripting and integration into CI/CD workflows, with updates reflected in the Install Runner modal.
  • UX & Accessibility Updates: Improvements include screen reader support for date pickers, enhanced ARIA attributes, visible license/user role labels in the Organization Switcher, and blocked IPv6 addresses in templates to reduce configuration errors.

New Attack Content

  • Commvault Command Center – CVE-2025-34028 Path traversal vulnerability enabling unauthenticated remote code execution.

  • SAP NetWeaver – CVE-2025-31324 Unauthenticated file upload via the Visual Composer Metadata Uploader, leading to full system compromise.

  • Craft CMS – CVE-2025-32432 Unauthenticated deserialization of malicious PHP objects via crafted POST requests, allowing remote code execution.

Platform Performance & Stability

  • External Host Discovery Optimization External Pentests, AWS Pentests, and Asset Discovery operations now complete faster—especially for operations with large IP address ranges.

  • Resource-Based Constrained Delegation (RBCD) When NodeZero validates certificate credentials with GenericAll or GenericWrite rights to a Domain Controller, it now attempts RBCD for deeper lateral movement.

Bug Fixes

  • Fixed an issue during Azure domain onboarding where secondary domains failed DNS validation. Public DNS checks now ensure more reliable setup.