Skip to content

2025.10

Features & Enhancements

MCP Server

  • Managed Control Plane (MCP) Hosted: The Hosted version of the Managed Control Plane (MCP) Server is now Generally Available (GA). See more on MCP.

High-Value Target (HVT) & Advanced Data Pilfering (ADP)

  • Advanced Target Identification and Exfiltration: High-Value Target (HVT) and Advanced Data Pilfering (ADP) capabilities are available, enabling the platform to more intelligently identify and target critical assets and simulate sophisticated data exfiltration techniques.
  • Microsoft SCCM Compromise: Added full support for enumerating and compromising Microsoft System Center Configuration Manager (SCCM) via the TAKEOVER-1 misconfiguration. Compromising SCCM can impact all managed machines, mirroring the criticality of attacks like ADCS. This capability is foundational for adding new, high-impact NTLM relay and coercion attacks (e.g., exploiting CVE-2025-33073).
    • CVE-2025-33073: is a high-severity privilege escalation vulnerability in the Windows SMB Client that allows an authenticated attacker to gain SYSTEM privileges via an NTLM reflection attack bypass.
  • NTLM Credential Support: Added support for NTLM credentials to several key attack modules, broadening coverage for internal network attacks.

Tripwires

  • Active Directory Tripwires: Introduced new Active Directory (AD) specific tripwire capabilities. See more on AD Tripwires.
  • Dedicated Navigation: A dedicated Tripwire Jobs sub-navigation item has been added for easier management and tracking of sensor deployment and triggering.
  • Bulk Enable/Disable Tripwire: The Templates overveiw page now allows users to enable or disable the deployment of tripwires across multiple templates simultaneously

Usability & Reporting

  • Vulnerability Management Hub Performance: This release includes several significant enhancements to improve the responsiveness and load times of the Vulnerability Management experience:
    • Faster Chart Loading: Top-of-page charts now utilize more efficient, parallelized queries for a smoother experience.
    • Optimized Queries: The “Weaknesses Over Time” data query runs approximately 50% faster.
    • Improved Data Retrieval: Refined logic reduces redundant requests for business risk and threat actor data, improving performance for organizations with large datasets.
    • Enhanced Grid Performance: Data tables now load faster, especially for organizations managing thousands of weaknesses.
  • Input Validation: Introduced a robust, user-friendly validation layer for IP and CIDR range inputs in the scope section, providing clearer error messages and helpful range information.
  • Date and Time Consistency: Standardized the display format for all dates and times across the platform for improved consistency (e.g., Oct 06, 2025 -> Oct 6, 2025).
  • Global UI Consistency: Applied various updates to ensure a consistent look and feel for page headers and action row components across the platform.

New Attack Content

Rapid Response (RR) Coverage

New Rapid Response (RR) tests and attack cards have been released for critical vulnerabilities:

  • Redis: (CVE-2025-49844): also known as RediShell, is a critical use-after-free vulnerability in the Redis Lua scripting engine that allows an authenticated user to execute remote code on the affected server.
  • Oracle EBS: (CVE-2025-61882): A critical remote code execution flaw in Oracle E-Business Suite’s BI Publisher Integration component allowing unauthenticated attackers to take over affected systems.
  • WatchGuard Fireware OS (CVE-2025-9242): A critical out-of-bounds write vulnerability in the WatchGuard Fireware OS IKEv2 service that allows a remote, unauthenticated attacker to execute arbitrary code on affected Firebox firewalls.

Attack Content Updates

  • Progress OpenEdge (CVE-2025-7388): a high-severity Remote Command Execution (RCE) vulnerability in the Progress OpenEdge AdminServer component that allows an authenticated user to inject and execute operating system commands via the Java RMI interface.
  • CISA KEV Upgrade: Exploits for CVE-2025-10035 and CVE-2025-2749 (H3-2025-0026) have been upgraded to reflect their inclusion in the CISA Known Exploited Vulnerabilities (KEV) Catalog.
    • CVE-2025-10035: is a critical (CVSS 10.0) deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT that allows a remote attacker to execute arbitrary code on the server by crafting a forged license response signature.
    • CVE-2025-2749: is a high-severity Remote Code Execution (RCE) vulnerability in Kentico Xperience that allows an authenticated user to upload and execute arbitrary files on the server by combining path traversal (CWE-22) and unrestricted file upload (CWE-434) flaws via the Staging Sync Server component.

Platform Performance & Stability

  • ETL Pipeline Optimization: Updates to the internal data pipeline improve the process for finding passwords in Active Directory attributes and now filter out incomplete data during processing to ensure faster delivery of actionable findings to users.
  • Extended LLM Enablement: Support for customers in the EU using the Amazon Nova model for LLM-powered features.

Bug Fixes

  • PDF Report Accessibility: Fixed an issue where PDF reports were missing accessibility bookmarks, which are necessary for users to navigate report sections efficiently.
  • Sankey Chart Fix: Resolved a rendering issue where Sankey charts displayed incorrectly in PDF reports.
  • Fixed a bug that occasionally caused stale business risks to appear in the portal.
  • Resolved an issue preventing NodeZero from inappropriately interacting with AWS Tripwires.
  • Fixed a bug preventing the Compare tab from showing the first 25 weaknesses in certain scenarios.