Tenable Patch Management 2025 Release Notes

Our new, fully managed SaaS deployment, offloads the infrastructure, updates, and database management to Tenable. This means:

• Zero Infrastructure: No additional hardware is required.

• Always Up-to-Date: Receive the latest features, security patches, and improvements automatically, with no manual intervention.

• Scales With You: The platform automatically scales to meet your needs.

• Built-in Reliability: Enjoy built-in redundancy and failover from the start.

• Global Coverage: Tenable has global data centers across the United States, United Kingdom, Germany, Japan, Australia, Singapore, and more. – ready to serve customers worldwide. For more information, refer to Regional Data Mappings.

Tenable has streamlined the experience for the cloud while keeping the powerful P2P content distribution you rely on.

• Intelligent Automation: Go beyond simple patching. Build risk-based strategies using VPR/ACR data, create customizable workflows with granular 100% controls (e.g., rollback, pause, exceptions, tiered deployment, etc.), and track your SLAs with real-time analytics.

• Expanded OS & App Coverage: This release includes Tenable's industry-leading OS and third-party app coverage across Windows, Linux and MacOS (20,000+ Products, 250,000+ unique patches and growing). For more information, refer to Supported Platforms and Distributions in the Tenable Patch Management User Guide.

• Secure & Simple Content: Content distribution is restricted to TPM content only, stored and managed in the secure TPM CDN.

• Automatic Client Upgrades: Client upgrades are now released automatically after the tenant is upgraded, simplifying management.

• Centralized Admin: Administrator accounts and identity providers (e.g., OIDC and SAML) are now managed directly through the Tenable Workspace.

For our existing on-premises customers, we are offering a free upgrade to the SaaS solution for a limited time. While there is currently no direct automated migration path, you will need to relink your clients and recreate your patching strategies manually. Our teams are ready to assist you with this transition. For more information, refer to Upgrading to SaaS in the Tenable Patch Management User Guide.

This release significantly expands support patching for endpoints running across platforms.

Linux

Expanded coverage for major enterprise Linux distributions:

• Oracle Linux: 8, 9, 10

• RHEL (Red Hat Enterprise Linux): 8, 9, 10

• AlmaLinux: 8, 9, 10

• Rocky Linux: 8, 9, 10

• Debian: 11, 12, 13

• Ubuntu LTS: 22.04, 24.04.2

• CentOS Stream: 9, 10

macOS

Expanded support for Apple Silicon (M-Series) devices:

• macOS 26 (Tahoe)

• macOS 15 (Sequoia)

• macOS 14 (Sonoma)

• macOS 13 (Ventura)

Windows

• Windows 10 and later

• Windows Server 2012 R2 and 2016

• BIOS and driver patching support for:

  • Dell

  • HP

  • Lenovo (Workstations and Servers)

Linux Enhancements:

• New OS Support: Added official support for many key Linux variants, refer to the Platform Support Updates section for full details.

• Reboot Chaining: Added support for post-patch reboot chaining for Linux systems, particularly for kernel-level updates. Reboots are integrated into deployment workflows to minimize manual intervention.

• Metadata Generation: Automatically generates repository metadata for enterprise Linux applications, ensuring version accuracy and consistency.

• RPM Packaging Automation: CI build pipelines now support automated RPM creation for EL8 and EL10-based distributions.

Windows Enhancements:

• BIOS & Driver Patching: Enhanced support for BIOS and hardware driver updates for Dell, HP, and Lenovo systems.

• File System Operations Workflow Improvements: Folder-based operations now better utilize provided path context.

macOS Enhancements:

• macOS Support: Expanded full third-party patching support on M-Series devices, refer to the Platform Support Updates section for full details.

• Metadata Improvements: Patch metadata is now generated for a wide range of high-usage business, productivity, security, communication, utilities, AI, and enterprise applications. Below is a highlight of some of the most commonly used tools now covered:

  • AI Tools: Cursor, Claude, Gemini, AnythingLLM, Hedy AI, iTerm2 AI Plugin, Backyard AI

  • Communication & Collaboration: Zoom, Microsoft Teams, Slack, Webex, WhatsApp, RingCentral, Cisco Jabber, Telegram

  • Office & Productivity: Microsoft Office Suite (Word, Excel, Outlook, PowerPoint, OneNote), Adobe Acrobat Reader/Pro, Google Drive, OneDrive, Grammarly, ClickUp, QuickBooks

  • Development & IT Tools: Docker Desktop, Visual Studio Code, Postman, VMware Fusion, VirtualBox, Vagrant, Parallels Desktop, Eclipse IDEs, GitButler, JupyterLab, Microsoft Build of OpenJDK, Oracle JDK, Azure Data Studio

  • Security & VPN: Malwarebytes, AVG Antivirus, Sentinel, osquery, Yubikey Manager, NordVPN, Mullvad VPN, Amnezia VPN, PureVPN, ESET, Symantec VIP Access, ClamXAV

  • Cloud & DevOps: AWS Client VPN, Salesforce CLI, IBM Cloud CLI, Chef Workstation, Okta Advanced Server Access, JetBrains Gateway

  • Utilities & Other Tools: TeamViewer, Chrome Remote Desktop, Logitech Tools, HP Easy Start, Bose Device Updater, Tableau (Desktop, Prep, Public)

This expansion significantly improves patch visibility, automation, and reporting coverage across your environment.

New Features:

• Added MacPkgInfo sensor to collect installed .pkg data on macOS clients.

Improvements:

• Library Updates:

  • log4j: Buffered async logging.

  • commons-beanutils: 1.9.4 → 1.11.0

  • jgit: Updated to 7.0.1

  • commons-configuration2: 2.11.0 → 2.12.0 (addresses commons-lang3 vulnerability)

  • jxpath: 1.3 → 1.4.0

Bug fixes:

• FileInformation Sensor would not return results for known paths to Windows EXEs.

New Features:

• Added Business Units for:

  • Oracle Linux 8, 9, 10

  • Rocky Linux 8, 9, 10

  • AlmaLinux 8, 9, 10

  • RHEL 10

• Patch Notification Bots added for Vulnerability Management integrations.

• expires_in field added to OIDC authentication response.

• New system config: email.use_unauthenticated_smtp forces unauthenticated SMTP for outgoing email.

Improvements:

• Improved performance of sensor queries by redesigning dbo.prc_get_sensors and adding indexing.

• Workflow updates for FileSystemOperationsNode: GetFileInformation and DoesFileExist now better utilize folder paths.

Bug fixes:

• Fixed CDN download failures when filenames contain spaces.

• Resolved issues with policy version drilldowns not displaying correct reasons.

• Corrected ObjectTableSupporter API query limits.

New Features:

• Client Configurability Enhancements:

  • New setting userportal.enabled: Disables the Tenable User Portal on Windows clients and prevents the User Portal from launching.

  • New setting userportal.restrict_to_console: Disables the User Portal in RDP sessions while keeping it enabled on the console session.

• File Extraction on macOS: The ExtractFile action now supports .tar, .tar.gz, .tgz, .tar.bz2, .tbz, .tbz2, .tar.xz, and .txz.

Improvements:

• Improved Reboot Logic: Deployment proceeds until the final moment before a reboot is necessary. Previously, all deployments would block after any patch requests a reboot.

Bug fixes:

• Fixed an issue with missing approvals and patch exceptions when clients restarted during patch policy application.

• Resolved macOS 13 reboot failures during patch installations.

• Fixed default reboot behavior after client service restarts.

• Prevented Tenable User Portal from attempting to launch in Session 0.

• Fixed patching workflow delays due to unnecessary SQL connection holds.

• Addressed deadlock in cross-platform data transport layer.

• Resolved import issues with Falcon admin roles.

New Features:

• Email configuration UI now supports unauthenticated SMTP.

Enhancements:

• ConfigMgr content editor updated to allow toggling content publication separately from saving.

• Search no longer clears selected table rows.

Bug fixes:

• Addressed UI refresh timing issues affecting authentication sessions.

• Fixed problems with blocked patches editor menu.

• Corrected disabled publishing/unpublishing menu items in ConfigMgr content.

• Resolved missing SCCM Collections in UI for OneSite Wake licensed environments.

• Fixed visual issues with column selections in Inventory Policies.

• Addressed issues in advanced search functionality in Software Updates table.

• Ensured software deployment grouping navigation functions correctly.

Significantly Improved Installation Experience

The server and client installation process has been updated and simplified, with additional checks run to ensure functionality. The server installer includes new checks for cloud services connectivity. The client installer now creates the appropriate firewall rules on Linux and MacOS client operating systems. The client installer also performs several post-setup checks to ensure functionality.

Introduction of Client Validation Tool

A new client validation tool has been included to perform post-installation connectivity checks.

This tool verifies that the client can successfully connect to both local and cloud services. This experience is available cross-platform, both in the windows installer and the adaptivactl. The tool can also be executed by the user on an ad-hoc basis whenever necessary, especially for troubleshooting purposes. With these changes, administrators will always be certain that new client deployments are successful.

• All clients are now targeted by default when a Tenable Patch Management license is added.

• Additional updates made to improve the navigability of Business Units, the creation of Patching Strategies, and improved row selection in tables.

You can review the detailed changelog for this release below.

Common Updates

Bug Fixes:

• Security Fix: Upgraded JRE to 17.0.16, which resolves a known Java vulnerability (CVE-2025-30754). For more information, refer to the Tenable Product Security Advisory.

• Fixed potential deadlock with sending thread pool in http v2 transport.

Server Updates

New Features:

• All clients are now targeted automatically by default when a Tenable Patch Management license key is added.

• Added 24-hour task to check and synchronize blob versions. The default schedule runs at 2 AM and can be configured in blob.version_audit_time_of_day.

• Added Tenable Patch URLs connection validation to post setup verification checks.

Bug fixes:

• Fixed an issue where upload to cloud storage would not propagate the error higher up.

• Fixed an issue where cycle completion status would not update if the cycle's workflow failed to launch.

• Fixed an issue where editing of certain built-in workflows would fail due to object signing errors.

• Fixed an issue when using password reset email on a user with MFA enabled.

• Fixed an issue where the Per Product dashboard was not applying a filter for Business Unit ID.

• Fixed confusing error messages in rest API responses on forbidden operations.

• Fixed issue where workflow built-in workflow activities were not signed on server, causing issues launching workflows.

• Fixed issue where RestAPI purpose workflows were not getting their QueryStrings and Headers fields filled when parameters were passed in via API foundry.

Client Updates

New Features:

• adaptivactl create required firewall rules for the client.

• Added pre and post-setup checks to adaptivactl to make sure the client will function properly.

• Added several simplifications and verification checks to windows client setup with the AdaptivaClientValidator tool.

  • Forced relay and server GUID for TPM client setup

  • Removed non-required UI elements from TPM client setup

  • Check the availability of required UDP and TCP ports

  • AdaptivaClientValidator tool is included with the Windows client install files

  • AdaptivaClientValidator tool can be run manually

  • Interactive and silent modes are supported

  • Results are written to ClientSetupChecks.log

  • Verification Checks performed:

    • Validate Tenable Patch URLs access

    • Validate Relay connection

    • Validate client-server communication

    • Validate client-server handshake

    • Validate client-client communication

    • Validate content download

• Added UFW firewall application profile for Tenable Patch Client in Debian and Ubuntu package.

Improvements:

• adaptivactl now requires the --server-guid option for Tenable-branded clients in on-prem deployments.

Bug fixes:

• Fixed issue when adding or removing device from business unit that has a patch pause applied.

• Fixed issue where the client installer and service would fail if the system environment contained incompatible values in Java related environment variables such as _JAVA_OPTIONS or JAVA_TOOL_OPTIONS.

• Fixed issues when handling multiple inactivation requests.

Download and install the newest release here.

For more information about these updates, refer to the Tenable Patch Management Complete User Guide or contact your Tenable representative.

Tenable is pleased to announce the release of Tenable Patch Management 9.3.968.19, featuring major feature upgrades, new database server requirements, quality improvements, critical security, and bug fixes across the platform. Tenable strongly recommends upgrading to 9.3.968.19.

Key Release Highlights

• Cross Platform Installation Enhancements

  • Cross platform installers now support runtime parameters instead of updating and distributing a config file, allowing installations with switches similar to the Windows installer.

  • Please refer to Tenable Patch Client Installation and Uninstallation in the official documentation for detailed instructions.

• New Client Auto-Upgrade Feature

  • New auto-upgrade process has been developed to get clients up to the version of the server. This will work for all 9.3+ clients. Previous versions will need to use the old process to get clients to 9.3. The old process of auto-upgrade on Windows client will be deprecated in a future release.

  • Please refer to the Upgrade Tenable Patch Clients Using Automatic Deployments in the official documentation for detailed instructions.

• Minimum Version of SQL Server Changed

  • Minimum SQL Server version has changed. SQL Server must be at least SQL Server 2017. Also, the Adaptiva database compatibility level should be 140 or higher. Tenable recommends that SQL Server 2019 or later be used with compatibility level 150 or higher.

  • Please refer to the Database Requirements and Configurations in the official documentation.

• Fix for Missing DLL Causing Dell Driver Installation Failures

  • Resolves an issue where Dell drivers failed to install and Compliance Status showed "Non-Compliant" on Clients running Tenable Patch Management 9.2.XXX due to a missing DLL. The update in this release restores the required DLL, ensuring proper functionality for new installations going forward. Please note: Upgraded clients from version 9.1 or 9.0 do include this DLL and will not experience the issue.

• Resolved SQL Injection Vulnerability found in Tenable Server 9.1, 9.2, and Prior Versions

  • Fixed a SQL injection vulnerability in the login process affecting versions prior to 9.2.XXX, 9.1.XXX, and prior versions. The issue was resolved by implementing parameterized queries. Therefore, Tenable strongly recommends upgrading to 9.3.968.19. See the related Tenable Security Advisory here.

• Microsoft 365 Patching in Tenable Patch

  • Native Patching Support for the following versions of Microsoft Office:

    • Microsoft 365

    • Office 2024 LTS

    • Office 2024

    • Office 2021

    • Office 2019 (EOL scheduled for Oct 2025)

    • Office 2016 (EOL scheduled for Oct 2025)

    • Visio and Project, starting with version 2021

  • Fully integrated support for all updates that are released by Microsoft for the above products in Tenable Patch. No more manual blob generation or content packaging. Just select and deploy.

  • Delta Updates = Smaller, Smarter Patching instead of downloading full 3GB updates for each language, Tenable Patch distributes monthly delta updates (30–50 MB), reducing bandwidth usage by up to 95%.

Server Updates

Improvements:

• Dynamic Logging Config: Component logging now reloads automatically when the config file is updated.

• Optimized Bulk Messaging: Default bulk_messaging_batch size reduced from 100 to 25 to avoid dropped messages due to RVP buffer limits.

• Secure Login Queries: User emails now passed using parameterized queries during login.

Bug Fixes:

• Flexible ACR Input: Tenable REST client updated to accept both float and int in the ACR field.

• Patch Submission Cleanup Bug Fix: Resolved issue where deleting a patch did not remove its submission records from associated strategies..

• Device Status Filtering Fix: Corrected device status table to only include devices with the relevant product installed.

• Workflow Validation Enhancement: Improved validation for file system operation nodes using runtime expressions.

• Patch Deployment Approval Check Fix: Fixed issue where clients could deploy patches missing approvals from cycles or disabled strategies.

• STRING_AGG Overflow Crash Fix: Resolved crash when STRING_AGG created strings exceeding 8,000 characters.

• Business Unit and Metadata Health Display Fixes: Fixed business unit filtering in dp_per_patch__device_status and corrected dp_landing_page__patching_system_health to reflect accurate Metadata feed health above 90%.

Client Updates

• Client Auto-Upgrade Feature in the UI

  • Manage automatic client upgrade settings

  • View current client installation information.

  • Pause / immediately deploy client upgrades.

• Microsoft 365 Auto-Update Logic Update

  • Auto-updates disabled if Windows Patching is licensed and wsus.O365 = true.

  • Enables proper scan classification for Microsoft 365 products.

Improvements:

• AngularJS Version Upgrade: From 19.1.3 to ^19.2.10.

• Auto-Reload Logging Config on File Change: Automatically reload component logging configuration when the config file is modified.

• Optimize Linux Memory Usage with jemalloc: Reduce resident memory usage on Linux clients by replacing glibc's allocator with jemalloc, which more efficiently returns unused memory to the OS.

• Improve Filter Condition Readability: Use more intuitive operator symbols in textual representations of advanced filter conditions.

Bug Fixes:

• SMTP Email Blocking Startup: Fixed issue where SMTP-based communication provider could block server startup due to invalid user email.

• Patch Rescan Delay: Fixed issue where removing a patch from the block list wouldn’t immediately trigger a rescan.

• macOS VPN Connection Failure: Fixed issue preventing macOS clients from connecting to the server over VPN.

• Compliance State Not Updating: Fixed issue where products remained compliant after consuming new applicable patches.

• Dashboard Menu Icon Fix (Users): Fixed header menu icon sizing and alignment on user dashboards.

• Data Provider Switch Error: Fixed errors when changing data provider types in the editor.

• Advanced Filter UI Constraint: Fixed issue allowing multiple child conditions under a "NOT" operator in filters.

• Dashboard Menu Icon Fix (Patching): Fixed header menu icon sizing and alignment on patching strategy operations dashboard.

• Folder Search Override Bug: Fixed issue where parent folder searches were overridden by field searches in object tables.

Download and Install:

Download and install the newest release here.

For more information about these updates, see the Tenable Patch Management Guide or contact your Tenable representative.

Tenable is pleased to announce the release of Tenable Patch Management 9.2.967.22, featuring minor quality improvements and bug fixes across the platform

Server Updates

Fixed:

• Fixed issue where Business Units by Waves column in cycle tables were empty if no deployment waves exist for the cycle owner.

• Modified the patch server framework component to depend on the feed server, preventing a race condition during registration.

• Fixed bug where patching cycles could lose business unit information after a server restart.

• Improved update process for supported platforms within existing workflows and activities during server upgrades.

Client Updates

Fixed:

• Change to WUAHttpServer to include content-length header on full GET request for a file. Resolves the Window Server 2016 patch download issue.

Download and Install:

Download and install the newest release here.

For more information about these updates, see the Tenable Patch Management Guide or contact your Tenable representative.

Tenable is pleased to announce the release of Tenable Patch Management 9.2.967.21, featuring minor quality improvements and bug fixes across the platform

Server Updates

Fixed:

• Resolved an issue where approval chains were not validated correctly in scenarios requiring more approvals than available approvers in a role.

• Fixed a bug where business unit exports defaulted to All Clients and failed on import due to missing objects.

• Updated logic to run client device summarization when a client is added, removed, or updated.

• Addressed an issue where dashboard exports to Excel did not include all rows.

• Restored the missing patching_exceptions_count field in [patch].[dp_landing_page__patching_metrics].

• Corrected SMTP email functionality by properly storing authentication credentials.

• Prevented configuration overrides for server content library and server temp folder paths.

Client Updates

Fixed:

• Resolved an issue where the APT Package Dependency sensor failed due to null return codes.

• Corrected the startup sequence for the byte-range data receiver to prevent registration failures during client initialization.

UI Updates

Fixed:

• Addressed a bug where the patch selection state was not accurately reflected in the Applicable Patch Presentation overlay after enabling a patching strategy.

• Fixed the multi-select checkbox behavior in table headers and footers to correctly reflect indeterminate "select-all" states.

• Prevented saving of workflows with empty target platforms when the Select All checkbox is unchecked.

Removed:

• Removed the Select All menu item from table header menus.

• This menu item only selected rows that were visible on the current page, which was not clear.

• This behavior is also redundant to the checkbox in the table header and footer.

Download and Install:

Download and install the newest release here.

For more information about these updates, see the Tenable Patch Management Guide or contact your Tenable representative.

Tenable is pleased to announce the release of Tenable Patch Management 9.2.967.20.

This release includes support for additional operating systems, critical bug fixes, performance enhancements, and improvements across the platform.

Highlights:

• New OS support for Red Hat Enterprise Linux, namely, RHEL 8 and RHEL 9.

• Stability and upgrade-related bug fixes.

• Updated Java Runtime and core libraries for improved performance.

Common Updates:

Changed

• Added support for Red Hat Enterprise Linux (RHEL 8 and RHEL 9) for on-premises Tenable Patch Management deployments.

• Upgraded Java 17 JRE to version 17.0.15.

• Updated Apache POI library to version 5.4.0.

Server Updates:

Changed

• Restored WhatsApp Support:

  • Modified WhatsApp notifications to use Meta-approved templates.

  • Background: Meta platform changes disrupted WhatsApp notifications via Twilio/SendGrid.

• Updated Patch Notification Bots behavior:

  • Bots can no longer mix WhatsApp Communication Provider with other providers.

  • Action Required: Review and modify any custom Patch Notification Bots using WhatsApp.

• Improved SQL Express installation:

  • Adjusted download method to avoid issues with Internet Explorer Enhanced Security Configuration (ESC).

Fixed

• Resolved issue preventing newly created business workflows from opening.

• Fixed server performance degradation caused by excessive group evaluations during client additions.

• Addressed upgrade failure during Business Unit migration.

• Resolved issue where RHEL clients did not appear in RHEL 8 and RHEL 9 Business Units.

• Fixed server startup issue due to improperly formatted Tenable Security Center URIs.

• Corrected issue where clients were not added to Windows Business Unit when reporting Windows build number.

Client Updates:

Fixed

• Resolved version comparison issues on pkg-based and rpm-based Linux distributions.

• Fixed requirement for /qn switch on MSI-based patch installations.

UI Updates:

Changed

• Updated the Patch Notification Bot editor:

  • UI now restricts combining WhatsApp with other Communication Providers.

  • Output Expression field is hidden when WhatsApp is selected.

Fixed

• Resolved issue with the Rank widget on the User Dashboard not displaying expected results.

Download and Install:

Download and install the newest release here.

For more information about these updates, see the Tenable Patch Management Guide or contact your Tenable representative.

Tenable is pleased to announce the release of Tenable Patch Management 9.2.967.18.

This release contains the following updates:

Server Updates

• Fixed issues with custom product sensor actions, export/import of business units, and PatchStatusQuery processing.

• Updated built-in and non-built-in sensors/actions with platform info.

Client Updates

• Deprecated SHA256Hash output from FileDetails sensor for better performance.

For more information about these updates, see the Tenable Patch Management Guide or contact your Tenable representative.

Tenable is pleased to announce the release of Tenable Patch Management 9.2.967.17.

This release contains the following updates:

Server Updates

• Added

  • Removed orphaned rows during upgrade and added prevention.

  • Support for validating Tenable access settings and configuring asset & CVE update intervals.

• Fixed

  • Issue with child business units not inheriting settings.

  • Performance improvements for large Client Table ID lists.

  • Index-out-of-bounds error in trigger property routing.

Client Updates

• Changed

  • Increased buffer space allocation (higher than previous heap size).

  • Reduced server activation check interval from 24 to 4 hours.

• Fixed

  • Fixed CAB scan failure crash.

  • Corrected issues with Linux package version comparison and scan detection in non-English locales.

  • Fixed reboot reminder notifications after sleep.

  • Corrected cycle compliance calculation and patch status consideration.

  • Fixed index issue with ClientFeedInstalled.

• Removed

  • Removed gsettings dependency for Linux system proxy retrieval.

UI Updates

• Changed

  • Disabled rename option for built-in folders.

• Fixed

  • Fixed sorting issues with Approval Requests and Blocked Patches.

  • Resolved issues with checkbox groups, "Save and Deploy" behavior, and UI menu items.

  • Fixed Workflow Designer issues with copy/paste, dynamic node properties, and node renaming.

For more information about these updates, see the Tenable Patch Management Guide or contact your Tenable representative.

Tenable is pleased to announce the release of Tenable Patch Management 9.2.967, which adds macOS and Linux support, along with Mozilla Firefox compatibility.

This release contains the following updates:

• Cross-platform support — You can now install Tenable Patch Management on macOS Ventura and later, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, CentOS Stream 9, CentOS Stream 10, Debian 11, and Debian 12.

• Mozilla Firefox support — Tenable Patch Management is now compatible with Mozilla Firefox.

• Patching Strategy enhancements — You can now delete, submit, or resubmit patches without first disabling their Patching Strategy.

For more information about these updates, see the Tenable Patch Management Guide or contact your Tenable representative.