Tenable Security Center 2025 Release Notes

• Tenable Security Center 6.7.0 supports direct upgrades from 6.3.0 and later on the same operating system.

• Tenable recommends performing a backup before upgrading Tenable Security Center. For more information, see Perform a Backup in the Tenable Security Center User Guide.

• When you upgrade to Tenable Security Center 6.7.0, verify that your Nessus plugins have been updated within the last 30 days.

• If you upgrade Tenable Security Center Director, upgrade all managed Tenable Security Center instances connected to Tenable Security Center Director. After upgrading, allow up to 15 minutes for your managed Tenable Security Center instances to sync with Tenable Security Center Director.

• If you are running an external PostgreSQL database, it must be running and reachable before you upgrade to Tenable Security Center 6.7.0. Failure to do so will result in a failed upgrade of Tenable Security Center, even if the upgrade appears to succeed. If this occurs, you can restore the database with a preexisting backup file. Otherwise, you will need to contact your customer support representative to resolve the issue.

• When you upgrade to Tenable Security Center 6.7.0 with a tiered setup using remote or offline universal repositories, use the following steps:

  1. Upgrade the child Tenable Security Center console that has the source repository to Tenable Security Center 6.7.0.

  2. Sync the remote repository.

  3. After the sync completes, upgrade the parent Tenable Security Center console to version 6.7.0.

  For more information, see the Knowledge Base article.

• After you upgrade to Tenable Security Center Director 6.7.0, you will need to sync existing remote repositories (either manually or via a scheduled sync) before you can browse vulnerability data from newly synced scan results.

  For more information, see Scan Results in the Tenable Security Center Director User Guide.

• Tenable Security Center 6.7.0 fixed an issue where DNS assets were broken for offline universal repositories, because you could not enter the IP range when adding the repository. When you upgrade to Tenable Security Center 6.7.0, the IP range for the offline universal repository is not automatically set. You must manually edit the offline repository and enter the IP range to use DNS assets.

• If you want to run a VACUUM operation in an external PostgreSQL, you must have super user or table owner permissions.

• If you upgrade to Tenable Security Center 6.7.0 and you have large amounts of data, the upgrade may take several hours.

• If you are running Tenable Security Center 6.7.0 and you are using pyTenable with the Tenable Security Center API, you must upgrade pyTenable to version 1.4.2 or later.

• If your upgrade path skips versions of Tenable Security Center (for example, upgrading from 6.4.5 to 6.7.0), Tenable recommends reviewing the release notes for all skipped versions. You may need to update your configurations because of features and functionality added in skipped versions.

Explore - Assets (Preview)

Tenable Security Center 6.7.0 enables a Technology Preview of Explore - Assets. This new data grid view for Asset-based information enables smoother workflows, additional filtering capabilities, group-by tools, and an updated user experience for viewing Asset-based information.

For more information, see Explore Assets in the Tenable Security Center User Guide.

Freeze Windows

Tenable Security Center can now configure IPs impacted by Freeze Windows during scanning to not result in a Partial scan. When enabled, scans will be marked as Complete and details of the Freeze Windows impacted will be available in the scan results. This functionality is disabled by default.

For more information, see Configuration Settings in the Tenable Security Center User Guide.

Log Correlation Engine (LCE)

For customers with no LCE currently configured, LCE functionality has been removed from the application. LCE was End of Life as of Dec, 31, 2024.

For more information, see the Tenable Software Release Lifecycle Matrix.

Performance

Scan ingest and query performance have been refined through the application of advanced analysis tools, resulting in measurable improvements to overall system efficiency. In certain configurations, however, specific tasks may be subject to minor performance impacts when compared with prior Tenable Security Center releases.

PostgreSQL

Internal deployments of PostgreSQL have the following changes:

• Security baseline alignment to the Crunchy Data PostgreSQL STIG.

• Configuration changes based on resource allocation to Tenable Security Center for performance improvements.

Domain added to BeyondTrust SSH Credential

When integrating with the BeyondTrust Privileged Access Management (PAM) solution, SSH credentials now support the ‘Domain’ field.

VMware vCenter PAM Integration

The VMware vCenter API Credentials now support integration with a variety of PAM solutions.

For more information, see Miscellaneous in the Tenable Security Center User Guide.

Custom Red Hat Repository Mapping

Support for custom mapping to Red Hat repositories with Red Hat Local Security Checks.

For more information, see the Knowledge Base article.

Bug Fix	Defect ID
Fixed an issue where Blackberry UEM MDM synchronization sometimes fails and deletes repository data.	01755514
Fixed an issue where Tenable matched host assets on the BIOS UUID when the BIOS UUID was set to "Not Settable."	02008604
Fixed an issue where Tenable Security Center does not display Chinese characters for the check name in compliance scans.	02131189
Updated the /analysis* endpoint API documentation to reflect the deprecated versions of queryID after support for the query object was added for the analysis endpoint.	02134273
Fixed an issue where incorrect errors appeared in the Tenable Security Center logs.	02134490, 02149457, 02229520
Reports attached to a scan now run regardless of the locked or inactive status of the user who owns the report.	02141299
Fixed an issue where PDF reports did not adhere to the custom VPR range.	02142999
Fixed an issue where the count in List Software did not match the count in the IP Summary.	02147156
Fixed an issue where errors appeared upon navigating to the Dashboards page.	02155001
Fixed an issue where the agentScan endpoint was returning incorrect policy IDs.	02161232
You are now able to edit a user with the Security Manager role within the same group and permission set.	02161723, 02182663
Implemented a fix to handle non-UTF-8 character encoding during the plugin sync to PostgreSQL, which prevents future data sync failures.	02164188, 02294066
Fixed an issue where the CVE search function did not work after upgrading.	02168285, 02297765
Fixed an issue where the Installed Software section under Host Asset Details was not populating properly for EC2 instances.	02174775
Fixed an issue where Vulnerability Intelligence was not populating after upgrading.	02184596
Fixed an issue where the IP address was null.	02188018
Fixed an issue where, after you delete a report, scans fail validation when you edit them.	02194214
The migration processing has been updated to disregard migration of policies that you have since removed. Upgrades will no longer fail for this reason. A log message displays identifying deprecated policies. You must revise existing scans that use a deprecated policy before you can execute the policy in the upgraded system.	02194244
Fixed an issue where the new first user inherited the properties of the replaced first user.	02194262
Resolved an encryption issue from the Tenable Security Center side.	02194543, 02312791
Updated the help text to remove unsupported syntax.	02201090
Fixed risk rule comment code when a host does not have an IP address.	02204845
Fixed an issue where uploading a repository into an offline repository caused issues with compliance results.	02214522
The Ping-Only Discovery Scan has been modified to complete the scan using only ICMP packets for scan target enumeration.	02216271, 02235152, 02270983
Optimized the database query during asset updates to improve performance.	02219689
For existing Agent scan policies that you created, when the feed adds new plugins, the plugins are not added to the existing Agent scan policy if they belong to a plugin family that is in the policy but not used for agent scans.	02224527
Fixed an issue where Tenable Security Center plugins without CVSSv4 scores defaulted to CVSSv2 instead of CVSSv3.	02227633, 02255924
Fixed an issue where a bad scan policy port range led to a scan crash loop.	02240340
Updated the product user guide to specify how to configure MySQL.	02242489
For existing Advanced Scan policies that you created, when the feed adds a new plugin family, the default action is to add and enable the new plugin family in the existing Advanced Scan policies.	02254099
Added a fix for ranges in IP addresses. This fix applies only to smaller ranges.	02255972, 02256722, 02257410, 02262127, 02262222, 02255994, 02262475, 02261355, 02263219, 02251602, 02261462, 02267667, 02277203, 02268992, 02286699, 02288915, 02282271, 02284511, 02297801, 02295825, 02322831, 02326086, 02327203, 02339046
Added an additional condition to verify DB2 import credentials.	02265878
Fixed an issue where the sc-error.log file threw multiple errors in GroupLib.php.	02267195
Fixed an issue where, in some circumstances, a vulnerability can exist as both cumulative and mitigated, which can result in the vulnerability being mitigated twice.	02284504

• When you export Vulnerability Detail List data as a CSV file, there are options for adding the AES and ACR columns. This function is available only to Tenable Security Center+ licensed deployments. Using this feature with other licenses will not yield any output or error message.

For more information about the API changes for this release, see the Tenable Security Center API Changelog.

Filenames and MD5 or SHA-256 checksums are located on the Tenable Security Center Downloads page page.

The following table lists the Tenable product versions tested with Tenable Security Center 6.7.0.

Product	Tested Version
Tenable Nessus	10.5.0 and later
OT Security	3.16.0 and later
Tenable Network Monitor	6.2.0 and later

For information about EOL dates and policies for Tenable products, see the Tenable Software Release Lifecycle Matrix and Policy.

Apply the patch to a standalone Tenable Security Center or Tenable Core + Tenable Security Center:

1. Download the patch from the Tenable Security Center Downloads page to Tenable Security Center. You can save the files in any location (e.g., /tmp).

2. Access the command line as a user with root-level permissions.

3. Run the following command to untar the patch file, where [patch file name] is the name of the .tgz patch file you downloaded:

   tar zxf [patch file name]

4. Run the following command to change the directory to the extracted directory, where [directory] is the extracted directory:

   cd [directory]

5. Run the following command to begin the installation:

   sh ./install.sh

   The installation begins and Tenable Security Center stops.

6. After the installation finishes, you must restart Tenable Security Center.

What to do next:

• (Optional) Confirm the patch successfully applied to Tenable Security Center, as described in the knowledge base article.

• install.sh

• SAMLConfig.php

• SAMLLib.php

• uninstall.sh

Filenames and MD5 or SHA-256 checksums are located on the Tenable Security Center Downloads page.

Apply the patch to a standalone Tenable Security Center or Tenable Core + Tenable Security Center:

1. Download the patch from the Tenable Security Center Downloads page to Tenable Security Center. You can save the files in any location (e.g., /tmp).

2. Access the command line as a user with root-level permissions.

3. Run the following command to untar the patch file, where [patch file name] is the name of the .tgz patch file you downloaded:

   tar zxf [patch file name]

4. Run the following command to change the directory to the extracted directory, where [directory] is the extracted directory:

   cd [directory]

5. Run the following command to begin the installation:

   sh ./install.sh

   The installation begins and Tenable Security Center stops.

6. After the installation finishes, you must restart Tenable Security Center.

What to do next:

• (Optional) Confirm the patch successfully applied to Tenable Security Center, as described in the knowledge base article.

• install.sh

• pg_ctl

• postgres

• psql

Filenames and MD5 or SHA-256 checksums are located on the Tenable Security Center Downloads page.

• Tenable recommends performing a backup before upgrading Tenable Security Center. For more information, see Perform a Backup in the Tenable Security Center User Guide.

• When you upgrade to Tenable Security Center 6.6.0, verify that your Nessus plugins have been updated within the last 30 days.

• If you upgrade Tenable Security Center Director, upgrade all managed Tenable Security Center instances connected to Tenable Security Center Director. After upgrading, allow up to 15 minutes for your managed Tenable Security Center instances to sync with Tenable Security Center Director.

• When you upgrade to Tenable Security Center 6.6.0 with a tiered setup using remote or offline universal repositories, use the following steps:

  1. Upgrade the child Tenable Security Center console that has the source repository to Tenable Security Center 6.6.0.

  2. Sync the remote repository.

  3. After the sync completes, upgrade the parent Tenable Security Center console to version 6.6.0.

  For more information, see the Knowledge Base article.

• If you are running Tenable Security Center 6.6.0 and you are using pyTenable with the Tenable Security Center API, you must upgrade pyTenable to version 1.4.2 or later.

• If your upgrade path skips versions of Tenable Security Center (for example, upgrading from 6.1.0 to 6.4.5 to 6.6.0), Tenable recommends reviewing the release notes for all skipped versions. You may need to update your configurations because of features and functionality added in skipped versions.

Plugin Attachments for Tenable Nessus and Tenable Agent Scans

Plugin attachments for Tenable Nessus and Tenable Agent scans are now available under Analysis > Vulnerabilities > Vulnerability Detail List view, on the right side. Attachments are available for certain plugins, generally informational findings, to provide additional data that may not be easily displayed in the plugin output.

An Administrator can enable this setting, under Settings > Configuration > Miscellaneous > Import Additional Scan Data.

SC License by UUID

Intended for air-gapped or restricted environments, Tenable Security Center can now be licensed by a UUID, as opposed to the hostname of the OS where Tenable Security Center is installed.

For more information, see Licenses in the Tenable Security Center User Guide.

Triggered Agent Scans

You can now configure agent scans in Tenable Security Center to run on a scheduled interval, or run when triggered by a file added to the agent trigger directory.

For more information, see Agent Scan Settings in the Tenable Security Center User Guide.

Dark Mode Enhancements

You can now toggle Dark Mode in the top navigation in Tenable Security Center. You can also enable Dark Mode to follow the OS settings.

For more information, see User Account Options in the Tenable Security Center User Guide.

Vulnerability Text and Plugin Output Fields

Under Analysis > Vulnerabilities, the Vulnerability Text filter has been renamed to Plugin Output. This also impacts this filter when editing Dashboards, Assurance Report Cards, Queries, Reports and any other filter that makes use of this field.

Under Assets > Assets, the Plugin Text filter in Dynamic Asset rules has been renamed to Plugin Output.

Under Analysis > Vulnerabilities > Vulnerability Detail List, the Output section has been renamed to Plugin Output.

This is a GUI-only change for consistency; there is no impact to the API or functionality.

CVE Links in Vulnerability Detail List

Under Analysis > Vulnerabilities > Vulnerability Detail List, the CVE links in the Reference Information section now point to the internal Tenable Security Center CVE Search, as opposed to the NIST National Vulnerability Database.

Vulnerability Intelligence and CVE Search Enhancements

VPR Key Drivers under specific CVE results have been moved from the Scores tab to the right menu.

The Plugins tab under specific CVE results is now available to Perpetual customers.

In the How does this affect me? section for specific CVE results, you can now navigate directly to the Analysis > Vulnerabilities view, focused on the IP Summary of the affected assets for that CVE.

Remediation Scan Workflow Enhancements

When you run a remediation scan from the Vulnerability Summary view, there is additional context around scan scope.

Scan Import and Job Queue Improvements

There have been changes to the Tenable Security Center job queue and how scans are imported to improve import times and reduce overall system load.

External PostgreSQL Enhancements

There is now TLS support for connecting to an external PostgreSQL databse for Tenable Security Center data.

Tenable Security Center supports PostgreSQL versions 13 through 17.

Tenable Security Center now supports customer-created databases. You no longer need the DBcreate permission.

Bug Fix	Defect ID
Fixed a minor issue by adding empty checks to not add extra empty rows in csv export file of report types.	02179284,02181096,02202385,02198673
Tenable Security Center Vulnerability Intelligence vulnerability results will now honor asset permissions of group which the user is assigned to.	02163477,02171177,02166294,02185544,02192858
Remove copy vulns job from dependency chain so import related jobs don't need to wait for it to finish.	02161769,02177717,02188018
Resolve the permission problem associated with custom roles.	02147029
The fixFileOwnerGroupPerms script has been revised to address file permissions for softwareUpdates.db.	02121278
The value of the agentGroups parameter in the agentScan API documentation has been revised.	02134358
Updated the Tenable Security Center API documentation with details for CyberArk credentials.	02124353
Fixes issues with Feed update.	02122846,02135032
An issue has been identified due to the absence of specific key values in the agentScan results, which is leading to the continuous growth of the sc-error.log file.	02067270
Fixed handling of use cases where tag is a number.	02059445,02069806,02074792,02109553,02194695

• Customers may encounter warnings in the logs when uploading custom plugins, indicating that certain files could not be loaded. These warnings are normal and can be ignored as Tenable Security Center only executes these plugins locally to extract metadata about the custom plugins.

• Tenable Enclave Security customers: During a Tenable Security Center migration or upgrade, some tasks, such as feed and plugin updates, may be removed from the job queue if they were running at the time. This is normal and nothing to be concerned about, as these tasks will run again eventually as they are scheduled jobs.

For more information about the API changes for this release, see the Tenable Security Center API Changelog.

Filenames and MD5 or SHA-256 checksums are located on the Tenable Security Center Downloads page page.

The following table lists the Tenable product versions tested with Tenable Security Center 6.6.0.

Product	Tested Version
Tenable Nessus	8.9.0 and later
OT Security	3.9.25 and later
Tenable Network Monitor	5.11.0 and later

For information about EOL dates and policies for Tenable products, see the Tenable Software Release Lifecycle Matrix and Policy.

Apply the patch to a standalone Tenable Security Center or Tenable Core + Tenable Security Center:

1. Download the patch from the Tenable Security Center Downloads page to Tenable Security Center. You can save the files in any location (e.g., /tmp).

2. Access the command line as a user with root-level permissions.

3. Run the following command to untar the patch file, where [patch file name] is the name of the .tgz patch file you downloaded:

   tar zxf [patch file name]

4. Run the following command to change the directory to the extracted directory, where [directory] is the extracted directory:

   cd [directory]

5. Run the following command to begin the installation:

   sh ./install.sh

   The installation begins and Tenable Security Center stops.

6. After the installation finishes, you must restart Tenable Security Center.

What to do next:

• (Optional) Confirm the patch successfully applied to Tenable Security Center, as described in the knowledge base article.

• install.sh

• pg_ctl

• postgres

• psql

Filenames and MD5 or SHA-256 checksums are located on the Tenable Security Center Downloads page.

Apply the patch to a standalone Tenable Security Center or Tenable Core + Tenable Security Center:

1. Download the patch from the Tenable Security Center Downloads page to Tenable Security Center. You can save the files in any location (e.g., /tmp).

2. Access the command line as a user with root-level permissions.

3. Run the following command to untar the patch file, where [patch file name] is the name of the .tgz patch file you downloaded:

   tar zxf [patch file name]

4. Run the following command to change the directory to the extracted directory, where [directory] is the extracted directory:

   cd [directory]

5. Run the following command to begin the installation:

   sh ./install.sh

   The installation begins and Tenable Security Center stops.

6. After the installation finishes, you must restart Tenable Security Center.

What to do next:

• (Optional) Confirm the patch successfully applied to Tenable Security Center, as described in the knowledge base article.

• install.sh

• libcrypto.a

• libcrypto.so

• libcrypto.so.3

• libcurl.a

• libcurl.la

• libcurl.so.4.8.0

• libssl.so

• libssl.so.3

• openssl

• php

Filenames and MD5 or SHA-256 checksums are located on the Tenable Security Center Downloads page.

Apply this patch if you previously applied Tenable Security Center Patch 202412.1-6.3.x (2024-12-20) and subsequently upgraded to a more recent version of Tenable Security Center.

If you previously applied the 202412.1-6.3.x patch and did not upgrade to a more recent version of Tenable Security Center, download and apply the 202412.1-6.3.x patch again.

If you did not apply patch 202412.1-6.3.x, then you do not need to apply patch 202503.1-6.4.x-6.5.x.

To enable updates through the Tenable Security Center feed:

1. Log in to Tenable Security Center as an Administrator.

2. In the left navigation, click System > Configuration.

   The Configuration page appears.

3. Click the Plugins/Feed tile.

   The Plugins/Feed Configuration page appears.

4. On the Plugins/Feed Configuration page, in the Tenable Security Center Software Updates section, enable the Enable Updates Through the Tenable Security Center Feed option.

   During the next scheduled feed update, Tenable Security Center applies the patch. In the Available Software Updates table, a timestamp appears in the row for the patch in the Last Updated column.

   -or-

   On the Plugins/Feed Configuration page, in the Available Software Updates section, select the patch in the table and click Install Now.

   Tenable Security Center applies the patch. In the Available Software Updates table, a timestamp appears in the row for the patch in the Last Updated column.

5. After the installation finishes, you must restart Tenable Security Center.

Apply the patch to a standalone Tenable Security Center or Tenable Core + Tenable Security Center:

1. Download the patch from the Tenable Security Center Downloads page to Tenable Security Center. You can save the files in any location (e.g., /tmp).

2. Access the command line as a user with root-level permissions.

3. Run the following command to untar the patch file, where [patch file name] is the name of the .tgz patch file you downloaded:

   tar zxf [patch file name]

4. Run the following command to change the directory to the extracted directory, where [directory] is the extracted directory:

   cd [directory]

5. Run the following command to begin the installation:

   sh ./install.sh

   The installation begins and Tenable Security Center stops.

6. After the installation finishes, you must restart Tenable Security Center.

What to do next:

• (Optional) Confirm the patch successfully applied to Tenable Security Center, as described in the knowledge base article.

• install.sh

• patch.manifest

Filenames and MD5 or SHA-256 checksums are located on the Tenable Security Center Downloads page.

Apply the patch to a standalone Tenable Security Center or Tenable Core + Tenable Security Center:

1. Download the patch from the Tenable Security Center Downloads page to Tenable Security Center. You can save the files in any location (e.g., /tmp).

2. Access the command line as a user with root-level permissions.

3. Run the following command to untar the patch file, where [patch file name] is the name of the .tgz patch file you downloaded:

   tar zxf [patch file name]

4. Run the following command to change the directory to the extracted directory, where [directory] is the extracted directory:

   cd [directory]

5. Run the following command to begin the installation:

   sh ./install.sh

   The installation begins and Tenable Security Center stops. After the installation finishes, Tenable Security Center automatically restarts.

   Note: If Tenable Security Center does not automatically restart, then you may need to restart Tenable Security Center manually.

What to do next:

• (Optional) Confirm the patch successfully applied to Tenable Security Center, as described in the knowledge base article.

• Base.php

• install.sh

Filenames and MD5 or SHA-256 checksums are located on the Tenable Security Center Downloads page.