Skip to content

2026.06


Features & Enhancements

Personalized Rapid Response Guidance

Our redesigned Rapid Response capability cuts through the noise of emerging security advisories by identifying which active CVEs (Common Vulnerabilities and Exposures) and Horizon3.ai-identified weaknesses pose an exploitability risk to your specific environment and assets. This release introduces a comprehensive remediation and verification workflow:

  • Personalized insights defining your organization's risk exposure to each escalated threat.
  • A dedicated advisory page for each threat, with full visibility into assets classified as Exploitable, Potentially Relevant, and Not Exploitable.
  • Proactive offensive tests on external assets (for opted-in customers).
  • Actionable, personalized remediation guidance, with embedded workflows to assign and verify fixes.

Real-Time View (RTV) Redesign

The Real-Time View (RTV) of ongoing pentests has been redesigned to help SOCs (Security Operations Centers) distinguish and deconflict benign NodeZero scanning operations from active, hostile attacks:

  • Action Log Timeline – A graphical event display featuring an adjustable time-span window.
  • Event Metadata Table – Advanced filtering controls, enabling security teams to search by Target Entity, Module, and event ID to correlate with alerts in their security tools.
  • Granular Event Logs – Raw event logs exported in OCSF (Open Cybersecurity Schema Framework) format for easy copying and local investigation.

External Pentesting

External Pentesting has been rebuilt around discovering, scoping, authorizing, and testing external attack surfaces at larger scale.

  • Replaced the legacy Asset Groups model with reusable Scopes, while keeping legacy Asset Groups available.
  • Added External Assets v2, which combines domain, Internet Protocol (IP) address, and test status information in a unified view.
  • Added bulk asset management for 10,000 to 100,000+ assets.
  • Added support for bulk-uploading CSV (Comma-Separated Values) or plain-text files containing asset information.
  • Added support for tagging third-party infrastructure so it cannot be tested.
  • Added support for bulk-authorizing owned assets, and for launching pentests against all authorized assets by default.
  • Added direct loading support for large Classless Inter-Domain Routing (CIDR) ranges from /16 through /32.
  • Adjusted domain-name validation to prevent authorization behavior that could incorrectly block legitimate domains.

MSP Client & License Management

  • MSP Client Product Management – Parent Managed Service Provider (MSP) accounts can now retrieve and configure asset-toggle, enforcement values, and contracted asset counts across Clients within backend systems and frontend license-management views.
  • Product Selection Drawer – Moved product add-on toggles (including Tripwires, Rapid Response, and Risk-Based Vulnerability Management (RBVM)) to a dedicated Products submenu in the Update Client drawer.
  • Sankey Diagram Visual Enhancements – Improved the visualization quality and structure of Sankey diagrams to provide clearer mapping of credential flows.
  • Runner Template Query Improvements – Enhanced back-end template queries to increase performance and reliability when rendering custom scan templates.
  • Entitlement Access Controls – Implemented read-only entitlement states for Campaigns, Perspectives, and Vulnerability Management pages to support restricted access roles.
  • Maximum Runtime Configuration – Updated the Max Runtime setting to represent absolute wall clock time.
  • Quick Filters – Implemented quick filters and badge replacements for more streamlined data sorting and navigation.

Portal & Workflow Improvements

  • Updated Max Runtime to represent wall clock time.
  • Added a new Executive Summary Segmentation (PDF) Report.
  • Improved template queries for better reliability.
  • Added read-only entitlement handling for Campaigns, Perspectives, and Vulnerability Management pages.
  • Implemented quick filters and badge replacements for more efficient navigation.

Tripwires

  • Improved the robustness of mounting AD (Active Directory) agent service account credentials.
  • Improved credential validation reliability when both Server Message Block (SMB) and Secure Shell (SSH) services are present.

New Attack Content

  • Starlette and LiteLLM Unauthenticated Remote Code Execution (CVE-2026-48710 and CVE-2026-42271) – Released targeted testing for a critical exploit chain (known as BadHost) where an authentication bypass in the Starlette Asynchronous Server Gateway Interface (ASGI) framework is combined with a command injection flaw in LiteLLM Model Context Protocol (MCP) server preview endpoints, allowing unauthenticated remote attackers to execute arbitrary operating system commands and access sensitive Large Language Model (LLM) API keys.
  • Apache Solr Basic Authentication Hardcoded Credentials (CVE-2026-44825) – Released targeted testing for a vulnerability in Apache Solr where hardcoded default credentials are silently installed in the basic authentication setup tool, allowing remote attackers to gain full administrative access to the Solr cluster.
  • Palo Alto Networks PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) – Added targeted testing for an authentication bypass vulnerability in Palo Alto Networks PAN-OS GlobalProtect portal and gateway configurations, which allows remote, unauthenticated attackers to bypass security restrictions and establish unauthorized Virtual Private Network (VPN) sessions.
  • Nginx UI Unauthenticated Backup Disclosure (CVE-2026-27944) – Added coverage for a vulnerability in Nginx UI where an unauthenticated backup endpoint exposes sensitive system backup archives along with the encryption keys required to decrypt them, risking exposure of user credentials, session tokens, and Secure Sockets Layer (SSL) private keys.
  • Progress Kemp LoadMaster Command Injection (CVE-2024-7591) – Added a targeted test for an improper input validation vulnerability in Progress Kemp LoadMaster, which allows unauthenticated remote attackers to execute arbitrary operating system commands via crafted HTTP requests.
  • Ivanti Sentry Operating System Command Injection (CVE-2026-10520) – Released targeted testing for a critical command injection vulnerability in Ivanti Sentry that allows unauthenticated remote attackers to execute arbitrary operating system commands with root-level privileges.
  • Oracle PeopleSoft Enterprise PeopleTools Remote Code Execution (CVE-2026-35273) – Added coverage for a critical, unauthenticated remote code execution vulnerability in the Updates Environment Management component of Oracle PeopleSoft Enterprise PeopleTools, which can allow an unauthenticated attacker to take complete control of affected systems over HTTP.
  • Check Point Remote Access VPN Authentication Bypass (CVE-2026-50751) – Released a targeted test for an authentication bypass vulnerability in Check Point Remote Access VPN and Mobile Access services using deprecated IKEv1 key exchange, which allows unauthenticated remote attackers to establish VPN sessions without providing a valid password.
  • SimpleHelp OpenID Connect Authentication Bypass (CVE-2026-48558) – Added coverage for a critical authentication bypass vulnerability in SimpleHelp remote support and monitoring software where improper OpenID Connect (OIDC) token validation allows unauthenticated attackers to forge identity tokens and gain unauthorized technician sessions with full administrative access.
  • Splunk Enterprise PostgreSQL Sidecar Service Arbitrary File Write (CVE-2026-20253) – Released targeted testing for a critical missing authentication vulnerability in the PostgreSQL sidecar service endpoint of Splunk Enterprise and Splunk Cloud Platform, which allows unauthenticated remote attackers to perform arbitrary file creation or truncation operations.
  • Cisco Unified Communications Manager Server-Side Request Forgery (CVE-2026-20230) – Added targeted testing for a critical server-side request forgery (SSRF) vulnerability in the Cisco Unified Communications Manager WebDialer service, which allows remote, unauthenticated attackers to execute arbitrary requests and write files to the underlying operating system.
  • Squid Proxy Heap Buffer Overread (CVE-2026-47729) – Released targeted testing for a heap buffer overread vulnerability (known as Squidbleed) in the File Transfer Protocol (FTP) directory-listing parser of Squid Web Proxy, which allows attackers to coerce the proxy into reading adjacent heap memory and disclosing sensitive data, including cleartext HTTP credentials and session tokens from other users.
  • Active Directory Ticket Granting Ticket Generation – Added a Ticket Granting Ticket (TGT) creation submodule to simulate Authentication Service Request (AS-REQ) exploitation and capture credentials.

Platform Performance & Stability

  • Optimized External Pentesting for larger asset sets.
  • Added yield-based rescan pruning to improve scope discovery efficiency.
  • Improved Known Exploited Vulnerabilities (KEV) detection on fragile network appliances, including Palo Alto Networks PAN-OS and Fortinet appliances.
  • Improved Active Directory credential database ingestion performance for Kerberos keys.
  • Improved external asset database operations at large scale, including workflows with up to 300,000 assets.
  • Improved subnet enumeration behavior and reserved subnet handling.
  • Improved network inventory query performance to reduce page-loading cost growth.
  • Improved Host Discovery behavior to avoid unnecessary repeated discovery runs.

Bug Fixes

  • Fixed a NetBIOS domain name population issue that could cause credential verification failures.
  • Fixed Active Directory credential database ingestion performance after Kerberos key ingestion.
  • Fixed a password spraying issue where more than five attempts in 15 minutes could unintentionally lock out users.
  • Fixed incorrect admin-panel tagging for H3-2025-0002.
  • Softened Host Discovery enforcement to log TTL (Time-to-Live) variance across ports rather than dropping hosts entirely.
  • Fixed Host Discovery parsing for port-unreachable responses.
  • Fixed Host Discovery behavior that could incorrectly mark scopes as ineligible for rescans.
  • Fixed scope filtering behavior during repeated Host Discovery runs.
  • Resolved a bug where Host Discovery execution loops would trigger recursively.
  • Fixed DNS zone lookup behavior when multiple Pointer (PTR) records are present.
  • Fixed a duplicate-key race condition in scope domain linking.
  • Fixed subnet enumeration behavior in which the same skip token could be returned repeatedly.
  • Restored pentest execution capabilities for FLEX-license customers.
  • Fixed template configuration UI's unintended reset every few minutes.
  • Fixed Runner selection behavior when a previously used Runner was not included in the initial query results.
  • Fixed operation form behavior so Runner and Kubernetes fields can be cleared correctly.
  • Fixed pentest comparison pagination by removing the first-100-pentests limit.
  • Fixed missing single sign-on (SSO) test button and Initiator URL behavior in the EU Portal.
  • Fixed an SSO setup issue where the Initiator URL did not populate.
  • Fixed a login issue affecting users restricted to SSO-only authentication.
  • Fixed a credential extraction timeout issue.
  • Fixed the Vulnerability Management Hub (VMH) Unprocessed Pentest modal to show the end date instead of the start date.
  • Fixed premature form resets by adding template checks before resetting the run operation form.

Federal

Users of NodeZero Federal might experience a 1–2 week delay in the availability of some features, Attack Content, or bug fixes.