Tenable Identity Exposure 2026 On-Premises Release Notes

Tip: You can subscribe to receive alerts for Tenable documentation updates.

These release notes are listed in reverse chronological order.

Tenable Identity Exposure 3.93.5 (2026-06-23)

Bug Fixes

Tenable Identity Exposure version 3.93.5 contains the following bug fixes:

Bug Fixes
Fixed a security issue where certain API endpoints were accessible without authentication.
Attack Path — Timeout and fallback for path computation When exploring all paths between two nodes in Attack Path, a three-minute time limit is now enforced. If the computation exceeds this limit, the system automatically falls back to displaying only the shortest path. This means that in environments with a large number of objects, the Attack Path view will always return a result — showing at minimum the shortest path to Tier-0 — instead of timing out with no result at all.
The scheduled task that launches the Indicators of Attack (IoA) event listener on Domain Controllers has been upgraded from Low priority to Normal priority. This resolves an issue where heavily loaded DCs could delay the script launch by several hours, potentially causing gaps in attack detection coverage
GoldenTicket Indicator of Attack (IoA) — Prevents duplicate Golden Ticket alerts when a single suspicious 4769 correlates with multiple 4624 logon events within the one-hour window. Each suspicious 4769 now raises at most one alert per profile.
Fixed an issue where the password reuse indicator of exposure was incorrectly raised on internal DNS partition objects (ForestDnsZones, DomainDnsZones) instead of only on the actual domain. Customers may have seen spurious password reuse deviances attributed to these non-root objects. These false positives are no longer generated.
IoA deployment scripts now correctly output audit policies section.
Fixed a bug preventing the removal of the WMI launcher (AlsidForAD-Launcher) from the DC when running IoA uninstall.
Fixed an issue that could prevent the read of the IoA configuration file and the start of the dedicated SMB share listener.
Fixed a bug preventing the Sysvol listener to restart when the Sysvol was unreachable (network) during the initial configuration.
Fixed health check displaying "An error as occurred" error message.
Tenable Identity Exposure Documentation link has been updated.
Indicator of Exposure (IoE) Last Password Change on KRBTGT account remediation script has been updated.
Megaphone icon menu button has been removed.
Allows the retrieval of the listenerLauncher.ps1 hash from the IoA deployment script to be able to whitelist it in the EDR prior to the IOA deployment.
The Indicator of Exposure description and recommendations for Dangerous Kerberos Delegation have been restructured and expanded. Key improvements include: The deviance reason now clarifies that an orphaned SPN means the SPN is not registered to any account in the domain (even if the host itself still exists), creating a "SPN-jacking" vulnerability. Recommendations are now broken into clear, actionable sections for each delegation risk type (unconstrained, constrained with protocol transition, constrained on sensitive object, RBCD, Entra SSO account, and orphan SPN). The orphan SPN recommendation now explicitly states to clean up the msDS-AllowedToDelegateTo attribute by removing invalid entries via the "Delegation" tab in Active Directory Users and Computers.
The error message "You can't remove the Administrator role of this user since you would lose all administration rights" is now displayed only when applicable.
The DYNAMIC RPC CONNECTION health check is now hidden when the Privileged Analysis toggle is disabled.
Escape double quotes in syslog insertion strings.
Fixed Compression and Removal logs tasks that failed to start due to specific folder naming formats to ensure consistent disk space management.
Revised the installer UI documentation's embedded hyperlinks to point to the definitive, current product documentation.
The timeout for getting AttackPath's paths between two nodes is now set to three minutes, and when that limit is reached, it falls back to the shortest path.
Addressed an issue where the Secure Relay updater scheduled task would expire and stop running after 365 days. The expiration date has been removed to ensure continuous, long-term operation. (requires SRLY update)
Fixed the Relay LDAP request responsible for retrieving customer Domain Controllers. The request was returning an incomplete list of Domain Controllers, which led to inaccurate IoA activity health-check status and occasional false-positive Golden Ticket alerts.

Updated Software Dependencies

Software Name	Pre-upgrade	Post-upgrade
Tenable Identity Exposure	3.93.4	3.93.5
C++ 2015-2022 Redistributable	14.38.33135.0	14.38.33135.0
.NET Windows Server Hosting	8.0.21.25475	8.0.28.26269
IIS URL Rewrite Module 2	7.2.1993	7.2.1993
Application Request Routing 3.0	3.0.5311	3.0.5311
NodeJS	20.19.5.0	20.20.2.0
Erlang OTP	26.2.5.15	26.2.5.21
Rabbit MQ	4.0.9	4.0.9
SQL Server	15.0.4445.1	15.0.4470.1
OpenSSL	3.5	4.0.1
Envoy	1.29.12	1.29.12
Handle	5.0	5.0
Curl	8.16.0	8.20.0

Tenable Identity Exposure 3.77.17 (2026-04-08)

Bug Fixes

Tenable Identity Exposure version 3.77.17 contains the following bug fixes:

Bug Fixes
Eliminates Golden Ticket false positives for authentication requests (4768/4770) originating locally on a Domain Controller via loopback IP.
Triggers an automatic re-crawl of Sysvol files if SMB network errors occur, ensuring no critical files are missed.
Restores RabbitMQ consumer and producer connectivity automatically following a channel shutdown.
Ensures the Sysvol listener reconnects properly by handling Win32Exceptions when a root directory is not found.
Supports successful MSI upgrades even when the Application Directory location has changed.
Removes orphan WMI listeners during IoA GPO uninstallation to ensure a clean environment.
Enables Security Profile customizations by providing necessary infrastructure data during initialization and post-login.
Refines the Cleanup_AdvInstServer process to exit gracefully and issue a pipeline warning if a hostname is not found.

Updated Software Dependencies

Software Name	Pre-upgrade	Post-upgrade
Tenable Identity Exposure	3.77.16	3.77.17
C++ 2015-2019 Redistributable	14.38.33135.0	14.38.33135.0
.NET Windows Server Hosting	8.0.23	8.0.25
IIS URL Rewrite Module 2	7.2.1993	7.2.1993
Application Request Routing 3.0	3.0.5311	3.0.5311
NodeJS	20.19.5.0	20.20.2.0
Erlang OTP	26.2.5.16	26.2.5.18
Rabbit MQ	4.0.9	4.0.9
SQL Server	15.0.4455.2	15.0.4460.4
OpenSSL	3.6.1	3.6.1
Envoy	1.29.12	1.29.12
Handle	5.0	5.0
Curl	8.18.0	8.19.0

Tenable Identity Exposure 3.77.16 (2026-02-03)

Bug Fixes

Tenable Identity Exposure version 3.77.16 contains the following bug fixes:

Bug Fixes
IoA events listener persistence: Fixed persistence issue with the IoA events listener registration.
IoA certificate persistence: Fixed Tenable certificate persistence issue affecting Indicators of Attack.
Query string parsing: Fixed a regression affecting large query string arrays in API requests.

Updated Software Dependencies

Software Name	Pre-upgrade	Post-upgrade
Tenable Identity Exposure	3.77.15	3.77.16
C++ 2015-2019 Redistributable	14.38.33135.0	14.38.33135.0
.NET Windows Server Hosting	8.0.22.25528	8.0.23
IIS URL Rewrite Module 2	7.2.1993	7.2.1993
Application Request Routing 3.0	3.0.5311	3.0.5311
NodeJS	20.19.5.0	20.19.5.0
Erlang OTP	26.2.5.16	26.2.5.16
Rabbit MQ	4.0.9	4.0.9
SQL Server	15.0.4455.2	15.0.4455.2
OpenSSL	3.5.1	3.6.1
Envoy	1.29.12	1.29.12
Handle	5.0	5.0
Curl	8.17.0	8.18.0