Tenable Identity Exposure 2025 On-Premises Release Notes
These release notes are listed in reverse chronological order.
Tenable Identity Exposure 3.77.11 (2025-04-30)
Tenable has identified and addressed a critical vulnerability (CVE-2025-32433) affecting the SSH implementation in Erlang/OTP, where a flaw in the handling of SSH protocol messages allows a malicious actor to gain unauthorized access and execute arbitrary code without valid credentials.

Software Name | Pre-upgrade | Post-upgrade |
---|---|---|
Tenable Identity Exposure | 3.77.10 | 3.77.11 |
C++ 2015-2019 Redistributable | 14.38.33135.0 | 14.38.33135.0 |
.NET Windows Server Hosting | 8.0.14.25112 | 8.0.15.25165 |
IIS URL Rewrite Module 2 | 7.2.1993 | 7.2.1993 |
Application Request Routing 3.0 | 3.0.5311 | 3.0.5311 |
NodeJS | 20.18.3.0 | 20.19.0 |
Erlang OTP | 26.2.5.6 | 26.2.5.11 |
Rabbit MQ | 4.0.3 | 4.0.3 |
SQL Server | 15.0.4430.1 | 15.0.4430.1 |
OpenSSL | 3.3.2 | 3.5 |
Envoy | 1.29.12 | 1.29.12 |
Handle | 5.0 | 5.0 |
Curl | 8.12.1 | 8.13 |
Tenable Identity Exposure 3.77.10 (2025-03-27)

Tenable Identity Exposure version 3.77.10 contains the following bug fixes:
Bug Fixes |
---|
Tenable Identity Exposure corrected the severity of the SAM Name Impersonation Indicator of Attack (IoA), which is classified as "Critical" but was mistakenly labeled as "High" in certain metadata. |
Tenable Identity Exposure updated the end-of-life dates for the latest Windows 11 versions. |
Windows Server 2025, released in November 2024, introduced a new AD functional level (the first since Server 2016), which the Domains with an Outdated Functional Level Indicator of Exposure (IoE) now takes into account. Tenable Identity Exposure also added expiration information for Server 2025 in the Computers Running an Obsolete OS IoE and made other minor adjustments across various IoEs (e.g., new schema version). Note: This does not confirm compatibility for hosting Tenable Identity Exposure on Windows Server 2025. Refer to future documentation updates or release notes for compatibility details. |
After deleting an object identified as deviant in the Logon Restrictions for Privileged Users IoE, the associated deviance closes correctly. |
Tenable Identity Exposure now ensures the proper removal of the Envoy service during the uninstallation of the Secure Relay, even when it's installed with Directory Listener. |
Tenable Identity Exposure now correctly handles event number 4624 in the latest version of Windows. |
Uninstalling the Secure Relay no longer removes the "Tools" folder shared with the Directory Listener. When both are installed on the same machine, the "Tools" folder now remains intact, preserving the nssm binary. |
Tenable Identity Exposure enhanced the uninstallation process by adding safeguards during upgrades to reduce rollbacks and improve system stability. |
Tenable Identity Exposure now properly applies selected reason filtering when selecting deviant objects (when applicable). |
When an attacker machine leaves a domain, the DCSync IoA can now raise alerts in basic mode. |
Tenable now digitally signs the script to configure Indicators of Attack, preventing external security tools from flagging it as a potential risk due to a missing signature. |
After upgrading, the Directory Listener prevents the installation of another Secure Relay on the same machine. |
Tenable Identity Exposure enhanced application resilience with proper handling of RabbitMQ channel errors during message publishing. |
The Domain Reachability health check now gives a more precise reason why the domain is unreachable. |

Software Name | Pre-upgrade | Post-upgrade |
---|---|---|
Tenable Identity Exposure | 3.77.9 | 3.77.10 |
C++ 2015-2019 Redistributable | 14.38.33135.0 | 14.38.33135.0 |
.NET Windows Server Hosting | 8.0.12.24603 | 8.0.14.25112 |
IIS URL Rewrite Module 2 | 7.2.1993 | 7.2.1993 |
Application Request Routing 3.0 | 3.0.5311 | 3.0.5311 |
NodeJS | 20.18.2.0 | 20.18.3.0 |
Erlang OTP | 26.2.5.6 | 26.2.5.6 |
Rabbit MQ | 4.0.3 | 4.0.3 |
SQL Server | 15.0.4415.2 | 15.0.4430.1 |
OpenSSL | 3.3.2 | 3.3.2 |
Envoy | 1.29.12 | 1.29.12 |
Handle | 5.0 | 5.0 |
Curl | 8.12.0 | 8.12.1 |
Tenable Identity Exposure 3.77.9 (2025-02-20)

-
Tenable Identity Exposure streamlined the rollback process to effectively revert the environment to its previous state, ensuring no residual clutter or inconsistencies remain.
New Prerequisite: Ensure the storage manager has at least 20 GB of available disk space before initiating the rollback procedure. For information, see Resource Sizing in the Tenable Identity Exposure User Guide.

Tenable Identity Exposure version 3.77.9 contains the following bug fixes:
Bug Fixes |
---|
The audit.csv file from the IoA listener module installs correctly. |
Tenable Identity Exposure improved the retrieval method for the install location and ensured that all Cleanup_* custom actions do not cause installation or upgrade failures if they return an error. Additionally, Tenable Identity Exposure enforced non-interactive execution for custom actions to prevent confirmation prompts during installation. |
Tenable Identity Exposure enhanced application resilience with proper handling of RabbitMQ channel errors during message publishing. |
Tenable Identity Exposure enhanced the access list permissions of the updater folder to prevent access by any malicious users. |
Tenable Identity Exposure resolved a broken authorization schema in the Indicator of Attack script and configuration. |
Tenable Identity Exposure addressed a Credential Disclosure vulnerability to prevent administrators from extracting stored SMTP account credentials. |
The GoldenTicket Indicator of Attack (IoA) now raises an alert when the attacker uses the forged TGT ticket in basic mode. |
The Dangerous Kerberos Delegation Indicator of Exposure (IoE) now includes all incriminating attributes relative to orphaned SPN. |
Tenable Identity Exposure now prevents unauthenticated calls with internal services from being saved in activity logs, ensuring clearer and more accurate log records. |
Tenable Identity Exposure autocompletes the Security Engine Node (SEN) IP address with the fully qualified domain name (FQDN) when the customer's certificates contain only DNS names. |
Tenable Identity Exposure improved the Windows event log parsing speed, preventing the product from accumulating lag. You must redeploy Indicators of Attack to benefit from this change. |
Tenable Identity Exposure resolved environment variables restoration when upgrading the Security Engine Node (SEN). |
Tenable Identity Exposure now terminates the previous updater.exe process using a scheduled task during auto-update. |
The Tenable Identity Exposure name appears correctly in the user interface. |
The OS Credentials Dumping IoA now correctly resolves source IP, source hostname, and target IP when the attack is triggered by NTAUTHORITY\SYSTEM. |
Tenable Identity Exposure now considers the list of privileged PSOs from security profiles, resolving the IoE Application of Weak Password Policies on Users with the reason "No privileged PSOs are applied on the domain" when this option is configured. |
Tenable Identity Exposure resolved the handling of the lockout threshold and lockout duration options in the Application of Weak Password Policies on Users IoE. It is now possible to allowlist deviances when you set their values to 0. |
The Health Check page now displays even if one of the registered forests contains a backslash in the user name. |
Tenable Identity Exposure no longer prevents crawling from succeeding if the sensitive data collection isn't properly configured. |

Software Name | Pre-upgrade | Post-upgrade |
---|---|---|
Tenable Identity Exposure | 3.77.6 | 3.77.9 |
C++ 2015-2019 Redistributable | 14.38.33135.0 | 14.38.33135.0 |
.NET Windows Server Hosting | 8.0.11.24521 | 8.0.12.24603 |
IIS URL Rewrite Module 2 | 7.2.1993 | 7.2.1993 |
Application Request Routing 3.0 | 3.0.5311 | 3.0.5311 |
NodeJS | 20.18.1.0 | 20.18.2.0 |
Erlang OTP | 26.2.5.5 | 26.2.5.6 |
Rabbit MQ | 4.0.3 | 4.0.3 |
SQL Server | 15.0.4405.4 | 15.0.4415.2 |
OpenSSL | 3.3.2 | 3.3.2 |
Envoy | 1.29.10 | 1.29.12 |
Handle | 5.0.0 | 5.0 |
Curl | 8.11.0 | 8.12.0 |