Tenable Identity Exposure 2025 Release Notes

• Exposure Center — The Exposure Center offers a simpler, more unified experience by merging the Exposure Overview and Exposure Instances pages into a single view. The updated page introduces quick-filtering options, allowing you to apply filters faster and focus on the most relevant data.

• Security profiles — A new security profile switch is available in the header bar, showing which Tenable security profile is active.

• Indicators of Exposure

  • Application of Weak Password Policies — Improved vulnerability details and recommendations.

  • ADCS Dangerous Misconfigurations — Updated the description to show the ESC reference for each reason.

• Insights — Added visibility into the new Insights feature when Tenable Cloud is not enabled.

• RabbitMQ — Improved resilience by implementing automatic recovery for dropped connections, ensuring continuous message processing and preventing service interruptions.

• Identity 360 — Removed the "Is Licensed" and "License Expires At" properties from the Identity 360 views to improve clarity, as they were not relevant to Tenable Identity Exposure.

• Exposure Center Exclusions — This feature lets you allowlist specific asset groups to prevent known, low-risk configurations from appearing in weakness reports. This helps reduce noise, and ensure the security findings remain relevant and actionable.

• SMB File Sharing — A new optional file-sharing mode is now available in the Indicator of Attack (IoA) module for collecting Windows event log files. It leverages a dedicated SMB share that Tenable Identity Exposure secures within your infrastructure.

Entra ID Indicators of Exposure

• Password Expiration Enforced — This IoE detects domains that enforce password expiration, which can undermine security by prompting users to change passwords frequently, often leading to weak, predictable, or reused passwords that reduce overall account protection.

• Managed Devices Not Required for MFA Registration — This IoE detects tenants that do not have a Conditional Access Policy enabled to require managed devices for MFA registration. Requiring managed devices for MFA registration adds an extra layer of security, making it harder for attackers to register a rogue MFA method—even if they have stolen credentials—unless they also possess a managed device.

Tenable Identity Exposure version 3.96 contains the following bug fixes:

Active Directory (AD) Indicators of Exposure

• BadSuccessor Dangerous dMSA Permissions — This IoE detects BadSuccessor, a privilege escalation vulnerability in Active Directory introduced with Windows Server 2025 dMSAs. This vulnerability allows attackers to abuse dMSA inheritance to gain high-privilege access, potentially compromising the entire domain. Exploitation requires a Windows Server 2025 domain controller.

• Tenable Identity Exposure renamed the Settings menus to better reflect their purpose. Additionally, Tenable Identity Exposure now makes the Identity Providers menu, used to configure Entra ID tenants when enabled, more easily accessible via the gear icon.

Tenable Identity Exposure version 3.95 contains the following bug fixes:

Tenable Identity Exposure version 3.92 contains the following bug fixes:

Tenable Identity Exposure version 3.91.1 contains the following bug fix:

• Non-Essential Group — This new Indicator of Exposure (IoE) reports empty groups and groups with only one member.

  Note: The Non-Essential Group IoE was initially released as two separate IoEs — Empty AD Group and Single Member AD Group — alongside the Exposure Center on February 5, 2025. These two IoEs later relocated to the Indicator of Exposure view, aligning them with other AD-related IoEs. The new Non-Essential Group IoE consolidates these previous IoEs into a single entity.

• Removal of the /Default suffix from the Exposure Instance names, as Tenable Identity Exposure considers that all weaknesses are from a single instance.

• The Identity 360 and Exposure Overview pages now redirect to the Exposure Instances page when drilling down on the related weaknesses.

Tenable Identity Exposure version 3.91 contains the following bug fixes:

• Unsupported or Outdated Exchange Servers — This new Indicator of Exposure (IoE) detects outdated Exchange servers that Microsoft no longer supports as well as those missing the latest Cumulative Updates. To maintain a secure and fully supported Exchange environment, promptly address obsolete or unpatched servers. Failure to do so increases the risk of exploitation, exposing your organization to data breaches and ransomware attacks.

• The ADCS Dangerous Misconfigurations IoE now reports the ESC9 vulnerability, flagging certificate templates with the unsecured CT_FLAG_NO_SECURITY_EXTENSION as deviant.

• The Exposure Overview and Exposure Instances pages now display the names of the Identity Data Providers tenants (AD domain, Entra ID tenant, etc.) where it detected security findings.

Tenable Identity Exposure version 3.90 contains the following bug fixes:

• Identity 360

  • Improved loading times for various Identity 360 pages, especially when viewing an asset's Access & Entitlement tabs.

  • Tenable Identity Exposure now gathers Active Directory Entitlements faster, making data available earlier after product setup in the Identity 360 page under the Entitlement tab for the asset's details. Tenable Identity Exposure focuses only on entitlements that impact the security context of our customers.

• Indicators of Exposure (IoE)

  • Mapped Certificates on Accounts — This IoE previously reported privileged users with only two types of mappings: X509IssuerSubject and X509SubjectOnly. It has now expanded its original scope to include additional mappings — X509RFC822, X509IssuerSerialNumber, X509SKI, and X509SHA1PublicKey.

  • Mapped Certificates on Accounts — Tenable Identity Exposure improved this IoE to report weak explicit certificate mappings, addressing the AD CS ESC14 Abuse Technique.

  • Single Member AD / Entra Group — The IoE now shows the group member in the "Why it matters" description.

  • First-Party Service Principal With Credentials — The IoE now shows the details for the identified credentials in the "Why it matters" description.

  • Single Member AD / Entra Group and Empty Group — These IoEs now only count direct members for more accurate and meaningful results.

  • Security Profile Customization — Improved description for the options "Permitted object owner (by group membership)" for applicable IoEs.

• Health checks

  • Permissions to Collect the AD Domain Data — Now hides the "Granted Permissions to Collect Privileged Data" details when Privileged Analysis is deactivated in the user interface. Make sure your Relay is up to date for this feature to work.

  • Domain Reachability — Now gives a more precise reason why the domain is unreachable.

Tenable Identity Exposure version 3.89 contains the following bug fixes:

• Indicator of Exposure (AD) — Exchange Dangerous Misconfigurations to list misconfigurations that impact Exchange resources or its underlying Active Directory schema objects.

Tenable Identity Exposure version 3.88 contains the following bug fixes:

• Exposure Center — Removal of references to Vulnerability Priority Rating (VPR) from the Exposure Overview because Tenable Identity Exposure does not populate these scores for identity-related Indicators of Exposure.

Tenable Identity Exposure version 3.87 contains the following bug fixes:

• Exposure Center —Exposure Center is a Tenable Identity Exposure feature that enhances your organization's identity security posture. It identifies weaknesses and misconfigurations across your identity risk surface, covering both the underlying identity systems, such as Entra ID, and the identities within those systems.

  This feature's user experience revolves around three interconnected concepts: Exposure Overview, Exposure Instances, and Findings. Tenable Research supports these concepts with a new security engine and specifically developed Indicators of Exposure (IoEs) to drive their functionality.

  For more information, refer to Exposure Center in the Tenable Identity Exposure User Guide.

• New Entra ID Indicators of Exposure

  Name	Description
  Ability of Standard Accounts to Register Applications	By default, any Entra user can register applications within the tenant. While this feature is convenient and not an immediate security vulnerability, it does carry certain risks. Therefore, following best practices, Tenable recommends disabling this capability.
  Application Allowing Multi-Tenant Authentication	Entra applications, which allow multi-tenant authentication, may give unauthorized access to malicious users if this configuration was not enabled with full awareness and without implementing adequate authorization checks within the application code.
  Conditional Access Policy Disables Continuous Access Evaluation	Continuous Access Evaluation is an Entra ID security feature that enables swift reactions to security policy changes or user status updates. For this reason, do not disable it.
  Dangerous Application Permissions Affecting the Tenant	Microsoft exposes APIs in Entra ID to allow 3rd-party applications to perform actions on Microsoft services on their own (called "application permissions"). Certain permissions can pose a serious threat to the entire Microsoft Entra tenant.
  Dangerous Delegated Permissions Affecting the Tenant	Microsoft exposes APIs in Entra ID to allow 3rd-party applications to perform actions on Microsoft services on their own (called "application permissions"). Certain permissions can pose a serious threat to the entire Microsoft Entra tenant.
  Disabled Account Assigned to a Privileged Role	Having a sane account management process requires monitoring assignments to privileged roles.
  Dormant Device	Dormant devices pose security risks such as outdated configurations and unpatched vulnerabilities. Without regular monitoring and updates, these stale devices become potential targets for exploitation, compromising tenant integrity and data confidentiality.
  Dormant Non-Privileged User	Dormant non-privileged users pose security risks as attackers can exploit them for unauthorized access. Without regular monitoring and deactivation, these stale users create potential entry points for malicious activities by expanding the attack surface.
  Dormant Privileged User	Dormant privileged users pose security risks as attackers can exploit them for unauthorized access. Without regular monitoring and deactivation, these stale users create potential entry points for malicious activities by expanding the attack surface.
  Dynamic Group with Exploitable Rule	Attackers can exploit dynamic groups in Microsoft Entra ID by manipulating self-modifiable attributes, allowing them to add themselves as group members. This manipulation enables privilege escalation and unauthorized access to sensitive resources tied to the groups.
  Empty Entra Group	Empty groups can lead to confusion, compromise security, and result in unused resources. It is generally advisable to establish a clear purpose for groups and ensure they contain relevant members.
  Entra Security Defaults Not Enabled	Entra ID Security Defaults offer pre-configured, Microsoft-recommended settings to enhance tenant protection.
  Federated Domain List	Malicious federated domain configuration is a common threat, used by attackers as an authentication backdoor to the Entra ID tenant. Verifying existing and newly added federated domains is crucial to ensure their configurations are trustworthy and legitimate. This Indicator of Exposure provides a comprehensive list of federated domains and their relevant attributes to help you to make informed decisions about their security status.
  Federation Signing Certificates Mismatch	Microsoft Entra ID allows delegation of authentication to another provider through federation. However, attackers with elevated privileges can exploit this feature by adding a malicious token-signing certificate, leading to persistence and privilege escalation.
  First-Party Service Principal with Credentials	First-party service principals have powerful permissions but are often overlooked due to their high volume, lack of visibility, and Microsoft ownership. Attackers can exploit this by adding credentials to these principals, allowing them to stealthily leverage their privileges for privilege escalation and persistence.
  Guest Account with Privileged Role	Guest accounts are external identities that can pose a security risk when they have privileged roles assigned to them. This grants substantial privileges within the tenant to individuals outside your organization.
  Guest Accounts with Equal Access to Normal Accounts	It is not advisable to configure Entra ID to consider guests as regular users, as it may enable malicious guests to conduct comprehensive reconnaissance on the tenant's resources.
  High Number of Administrators	A high number of administrators increases the attack surface and poses security risks due to their elevated privileges. This also indicates a failure to uphold the principle of least privilege.
  Known Federated Domain Backdoor	Microsoft Entra ID allows delegation of authentication to another provider through federation. However, attackers with elevated privileges can exploit this feature by adding their malicious federated domain, leading to persistence and privilege escalation.
  Legacy Authentication Not Blocked	Legacy authentication methods do not support Multi-Factor Authentication (MFA), enabling attackers to continue performing brute-force, credential stuffing, and password-spraying attacks.
  Missing Multi-Factor Authentication for Non-Privileged Accounts	MFA provides strong protection for accounts against weak or breached passwords. Security best practices and standards recommend that you enable MFA, even for non-privileged accounts. Accounts without an MFA method registered cannot benefit from it.
  Missing Multi-Factor Authentication for Privileged Accounts	MFA provides strong protection for accounts against weak or breached passwords. Security best practices and standards recommend that you enable MFA, even for non-privileged accounts. Accounts without an MFA method registered cannot benefit from it.
  Multi-Factor Authentication Not Required for a Privileged Role	MFA provides strong protection for accounts against weak or breached passwords. Security best practices and standards recommend that you enable MFA, particularly for privileged accounts with assigned privileged roles.
  Multi-Factor Authentication Not Required for Risky Sign-Ins	MFA provides strong protection for accounts against weak or breached passwords. Security best practices and standards recommend that you require MFA for risky sign-ins, for example when the authentication request may not come from the legitimate identity owner.
  Never Used Device	Avoid pre-created, never-used device accounts, as they indicate poor security hygiene and may pose potential security risks.
  Never Used Non-Privileged User	Never used non-privileged user accounts are vulnerable to compromise as they often evade detection from defensive measures. Additionally, their default passwords make them prime targets for attackers.
  Never Used Privileged User	Never used privileged user accounts are vulnerable to compromise as they often evade detection from defensive measures. Additionally, their default passwords make them prime targets for attackers.
  Password Protection Not Enabled for On-Premises Environments	Microsoft Entra Password Protection is a security feature that prevents users from setting easily guessable passwords to enhance overall password security in an organization.
  Privileged Account Naming Convention	A naming convention for privileged users in Entra ID is crucial for security, standardization, audit compliance, as well as facilitates administration.
  Privileged Entra Account Synchronized with Active Directory (Hybrid)	Hybrid accounts, i.e. synchronized from Active Directory, with privileged roles in Entra ID pose a security risk because they allow attackers who compromise AD to pivot to Entra ID. Privileged accounts in Entra ID must be cloud-only accounts.
  Privileged Entra Account With Access to Microsoft 365 Services	Maintain separate Entra accounts for administrative tasks: a standard account for daily use and a dedicated privileged account for administrative activities. This approach minimizes the attack surface of the privileged account, enhancing security.
  Public Microsoft 365 Group	Microsoft 365 groups stored in Entra ID are either public or private. Public groups pose a security risk because any user within the tenant can join them and gain access to their data (Teams chats/files, emails, etc.)
  Show Additional Context in Microsoft Authenticator Notifications	For improved visibility, enable Microsoft Authenticator notifications to display additional context, such as the application name and geolocation. This helps users identify and deny potentially malicious MFA or passwordless authentication requests, effectively mitigating the risk of MFA fatigue attacks.
  Single Member Entra Group	Creating a group with only one member is not advisable, as it introduces unnecessary redundancy and complexity. This practice adds extra layers of management, which can undermine the efficiency that groups are designed to provide in terms of streamlined access control and administration.
  Suspicious Directory Synchronization Accounts Role Assignment	"Directory Synchronization Accounts" is a privileged Entra role hidden within the Azure and Entra ID portals, usually designated for Microsoft Entra Connect (formerly Azure AD Connect) service accounts. However, malevolent actors may exploit this role for covert attacks.
  Temporary Access Pass Feature Enabled	The Temporary Access Pass (TAP) feature is a temporary authentication method that uses a time-limited or limited-use passcode. While it is a legitimate feature, it is safer to disable it to reduce the attack surface if your organization does not require it.
  Unrestricted Guest Accounts	By default, Entra ID limits guest users' access to reduce their visibility within the tenant. You can further enhance security and privacy by tightening these restrictions.
  Unrestricted User Consent for Applications	Entra ID allows users to autonomously consent to external applications' access to organization's data, which attackers may exploit in "illicit consent grant" attacks. Prevent this by restricting access to verified publishers or requiring administrator approval.
  Unusual Federation Signing Certificate Validity Period	An unusually high validity period for a federation signing certificate is suspicious, as it could indicate that an attacker obtained elevated privileges in Entra ID and created a backdoor through the federation trust mechanism.
  Unverified Domain	Confirm ownership of all custom domains in Entra ID. Keep unverified domains only temporarily - either verify or remove them to maintain a clean domain list and facilitate efficient reviews.

• Indicator of Exposure — A new IoE, Hybrid Entra ID Information, provides insights into Microsoft Entra ID data replicated to on-premises Active Directory, enabling organizations to identify potential security risks and address policy misalignments.

• Indicators of Exposure

  • Managed Service Accounts Dangerous Misconfigurations — Improvement in this IoE to include support for groups, enabling streamlined control of access to a gMSA.

  • Ensure SDProp Consistency — Improved recommendations.

  • Shadow Credentials — Improved recommendations for remediation of Return of Coppersmith’s Attack (ROCA). Introduction of a new option to remove potential false positives related to hybrid environments with Entra ID when the "device writeback" feature is disabled. This has an impact on the "Orphan Key Credential" reason in this IoE.

  • Two new options to enhance control over object ownership and permissions by group membership:

  • Permitted Object Owner (by Group Membership): Allows security principals to be designated as object owners through their group membership.

  • Permitted Trustees List (by Group Membership): Enables the assignment of special permissions to security principals based on their group membership.

• Indicator of Attack — The Golden Ticket IoA has improved attack vector text.

• Trust Attributes and Types in Directory Services

  • The trustType attribute now supports the TTAAD (TRUST_TYPE_AAD) value.

  • The trustAttributes attribute now supports the TDAV (TRUST_ATTRIBUTE_DISABLE_AUTH_TARGET_VALIDATION) value.

• Export function — Users can choose the separator (comma or semicolon) when performing a CSV export, enabling flexibility to suit various use cases. The browser remembers the last used separator for future exports.

Tenable Identity Exposure version 3.86 contains the following bug fixes:

• Identity 360 —A new identity-centric feature in Tenable Identity Exposure provides a rich and exhaustive inventory of every identity across the organization's identity risk surface.

  This feature unifies identities across Active Directory and Entra ID and enables them to be ranked by their risk, so you can rank identities across your organization from most risky to least risky.

  In addition, Identity 360 enables users to gain a deep understanding of each identity through various contextual lenses such as accounts, weaknesses, and devices associated with a given identity to gain a full perspective of that identity.

  For more information, refer to Identity 360 in the Tenable Identity Exposure User Guide.

• Health Check — A new domain health check enhances confidence in your Indicator of Attack deployment by identifying and addressing known errors on a per-domain basis.

  For more information, refer to Health Checks in the Tenable Identity Exposure User Guide.

Tenable Identity Exposure version 3.85 contains the following bug fixes: