Release Notes

Acunetix Standard & Premium

RSS Feed

v25.5.2 - 09 Jul 2025

Copy Link Copy Link
Security update with new checks for Weak ViewState Key, PAN-OS XSS (CVE-2025-0133), and Citrix NetScaler Memory Disclosure (CVE-2025-5777). Improved Open Redirect detection, updated vulnerability references, and upgraded Vulnerability Database to version 20250708.

Security checks

  • Added a new security check for Weak ViewState Key
  • Added a new check to detect PAN-OS XSS (CVE-2025-0133)
  • Added a new check to detect Citrix NetScaler Memory Disclosure (CitrixBleed 2) (CVE-2025-5777)
  • Upgraded Vulnerability Database (VDB) version to 20250708

Improvements

  • Updated Open Redirect to increase coverage

v25.5.1 - 27 Jun 2025

Copy Link Copy Link
New security checks Added a new check to detect Grafana Open Redirect (CVE-2025-4123) Improvements Updated Secret Token detection to increase coverage Updated detection of DB connection in JSON fields Updated DeepScan for more prop extraction Added a new check to detect Prototype Pollution (Server-Side) Updated...

New security checks

  • Added a new check to detect Grafana Open Redirect (CVE-2025-4123)

Improvements

  • Updated Secret Token detection to increase coverage
  • Updated detection of DB connection in JSON fields
  • Updated DeepScan for more prop extraction
  • Added a new check to detect Prototype Pollution (Server-Side)
  • Updated dompurify to detect more vulnerabilities
  • Updated iframe injection detection on dom-based vulnerabilities
  • Updated XPath injection for better coverage

v25.5.0 - 17 Jun 2025

Copy Link Copy Link
New features Added support for JAVA IAST Sensor running on WebLogic () New security checks Added JWT auth bypass for API Added SAP NetWeaver Visual Composer Unrestricted File Uploading (CVE-2025-31324) Added detection for Craft CMS Remote Code Execution (CVE-2025-32432) Added check for missing X-Content-Type-Options...

New features

  • Added support for JAVA IAST Sensor running on WebLogic (Read more)

New security checks

  • Added JWT auth bypass for API
  • Added SAP NetWeaver Visual Composer Unrestricted File Uploading (CVE-2025-31324)
  • Added detection for Craft CMS Remote Code Execution (CVE-2025-32432)
  • Added check for missing X-Content-Type-Options header
  • Detection for Craft CMS Remote Code Execution vulnerability (CVE-2025-32432)

    Improvements

    • Added regex to enhance detection of Stack Trace Disclosure in Django apps
    • Improved detection of JWTs signed with weak secrets
    • Added new security check for exposed nginx.conf and .htaccess files to enhance vulnerability detection
    • LDAP Injection detection added
    • Added detection for PII (Personally Identifiable Information) disclosure vulnerabilities
    • New detection for database connection strings in JSON responses to improve sensitive data exposure coverage
    • Scanner updated to support scanning targets with NTLM Authentication from Linux

    Resolved issues

    • Fixed false positive for Cleo Harmony/VLTrader/LexiCom RCE detection
    • Corrected version comparison logic in “Scripts\WebApps\drupal_3.script”

    v25.4.0 - 22 Apr 2025

    Copy Link Copy Link
    This release includes new security checks and improvements.

    New security checks

    Improvements

    • Updated Node to version 20
    • Updated OpenSSL to version 3.4.1
    • Added an option to expose OpenSSL functions to sign or validate JWT tokens
    • Added an option to disable the DAST scanner from exposing secrets
    • Engine now uses Chromium 135.0.7049.41/52 for scanning

    v25.3.2 - 03 Apr 2025

    Copy Link Copy Link
    Fix Resolved an issue causing a hang in the LSR during retry playback

    Fix

    • Resolved an issue causing a hang in the LSR during retry playback

    v25.3.1 - 25 Mar 2025

    Copy Link Copy Link
    New security checks Added a check for Sitecore XM/XP Insecure Deserialization (CVE-2025-27218) Added a check for Next.js Middleware Authorization Bypass (CVE-2025-29927)

    New security checks

    • Added a check for Sitecore XM/XP Insecure Deserialization (CVE-2025-27218)

    • Added a check for Next.js Middleware Authorization Bypass (CVE-2025-29927)

    v25.3.0 - 10 Mar 2025

    Copy Link Copy Link
    This 25.3.0 Acunetix release contains a number of technologies improvements, new features, security checks, and resolved issues.

    New features

    • Windows Internal Scanning Agents can now scan websites which make use of Smart Card Authentication
    • Acunetix On Premise can now be installed on Windows Server 2025

    New security checks

    • Added a check for PAN-OS Management Interface Authentication Bypass (CVE-2025-0108)
    • Added a check for SimpleHelp Path Traversal (CVE-2024-57727)

    Improvements

    • Technologies: DAST scanner updated to report over 30 new technologies
    • Improved detection of Open Redirect
    • Improved detection of Reverse Proxy
    • Improved detection of ViewState problems
    • Improvements to timeouts while crawling SPAs
    • Improved parsing of double URL encoded files

    Resolved issues

    • Fixed: Technologies incorrectly reported as normal vulnerabilities
    • Fix: False Negative reporting EspoCRM
    • Fixed issue causing Login Sequence Recorder to not load on Windows 10 / Windows Server 2016

    v25.1.2 - 17 Feb 2025

    Copy Link Copy Link
    Release 25.1.2 for Acunetix is for SQL Server Vulnerabilities improvements.

    Improvements

    • Moved a number of SQL Server Vulnerabilities to Technologies

    v25.1.1 - 07 Feb 2025

    Copy Link Copy Link
    New security checks Added a new check for SSRF Cloud Metadata Added a new check for Out-of-Band SSTIs Improvements Improved Information Disclosures for phpinfo Improved Username Disclosure for MS SQL Improved Database Name Disclosures Improved detection of exposed git repositories Improved coverage of checks in...

    New security checks

    • Added a new check for SSRF Cloud Metadata
    • Added a new check for Out-of-Band SSTIs

    Improvements

    • Improved Information Disclosures for phpinfo
    • Improved Username Disclosure for MS SQL
    • Improved Database Name Disclosures
    • Improved detection of exposed git repositories
    • Improved coverage of checks in Directory tests
    • Updated VDB to 20250204
    • Improved detection of Programming Error Messages

    Resolved issues

    • Fixed a false positive causing EspoCRM tech to be reported unexpectedly
    1 2 27