Release Notes

Acunetix Standard & Premium

RSS Feed

v25.5.1 - 27 Jun 2025

New security checks Added a new check to detect Grafana Open Redirect (CVE-2025-4123) Improvements Updated Secret Token detection to increase coverage Updated detection of DB connection in JSON fields Updated DeepScan for more prop extraction Added a new check to detect Prototype Pollution (Server-Side) Updated...

New security checks

  • Added a new check to detect Grafana Open Redirect (CVE-2025-4123)

Improvements

  • Updated Secret Token detection to increase coverage
  • Updated detection of DB connection in JSON fields
  • Updated DeepScan for more prop extraction
  • Added a new check to detect Prototype Pollution (Server-Side)
  • Updated dompurify to detect more vulnerabilities
  • Updated iframe injection detection on dom-based vulnerabilities
  • Updated XPath injection for better coverage

v25.5.0 - 17 Jun 2025

New features Added support for JAVA IAST Sensor running on WebLogic () New security checks Added JWT auth bypass for API Added SAP NetWeaver Visual Composer Unrestricted File Uploading (CVE-2025-31324) Added detection for Craft CMS Remote Code Execution (CVE-2025-32432) Added check for missing X-Content-Type-Options...

New features

  • Added support for JAVA IAST Sensor running on WebLogic (Read more)

New security checks

  • Added JWT auth bypass for API
  • Added SAP NetWeaver Visual Composer Unrestricted File Uploading (CVE-2025-31324)
  • Added detection for Craft CMS Remote Code Execution (CVE-2025-32432)
  • Added check for missing X-Content-Type-Options header
  • Detection for Craft CMS Remote Code Execution vulnerability (CVE-2025-32432)

    Improvements

    • Added regex to enhance detection of Stack Trace Disclosure in Django apps
    • Improved detection of JWTs signed with weak secrets
    • Added new security check for exposed nginx.conf and .htaccess files to enhance vulnerability detection
    • LDAP Injection detection added
    • Added detection for PII (Personally Identifiable Information) disclosure vulnerabilities
    • New detection for database connection strings in JSON responses to improve sensitive data exposure coverage
    • Scanner updated to support scanning targets with NTLM Authentication from Linux

    Resolved issues

    • Fixed false positive for Cleo Harmony/VLTrader/LexiCom RCE detection
    • Corrected version comparison logic in “Scripts\WebApps\drupal_3.script”

    v25.4.0 - 22 Apr 2025

    This release includes new security checks and improvements.

    New security checks

    Improvements

    • Updated Node to version 20
    • Updated OpenSSL to version 3.4.1
    • Added an option to expose OpenSSL functions to sign or validate JWT tokens
    • Added an option to disable the DAST scanner from exposing secrets
    • Engine now uses Chromium 135.0.7049.41/52 for scanning

    v25.3.2 - 03 Apr 2025

    Fix Resolved an issue causing a hang in the LSR during retry playback

    Fix

    • Resolved an issue causing a hang in the LSR during retry playback

    v25.3.1 - 25 Mar 2025

    New security checks Added a check for Sitecore XM/XP Insecure Deserialization (CVE-2025-27218) Added a check for Next.js Middleware Authorization Bypass (CVE-2025-29927)

    New security checks

    • Added a check for Sitecore XM/XP Insecure Deserialization (CVE-2025-27218)

    • Added a check for Next.js Middleware Authorization Bypass (CVE-2025-29927)

    v25.3.0 - 10 Mar 2025

    This 25.3.0 Acunetix release contains a number of technologies improvements, new features, security checks, and resolved issues.

    New features

    • Windows Internal Scanning Agents can now scan websites which make use of Smart Card Authentication
    • Acunetix On Premise can now be installed on Windows Server 2025

    New security checks

    • Added a check for PAN-OS Management Interface Authentication Bypass (CVE-2025-0108)
    • Added a check for SimpleHelp Path Traversal (CVE-2024-57727)

    Improvements

    • Technologies: DAST scanner updated to report over 30 new technologies
    • Improved detection of Open Redirect
    • Improved detection of Reverse Proxy
    • Improved detection of ViewState problems
    • Improvements to timeouts while crawling SPAs
    • Improved parsing of double URL encoded files

    Resolved issues

    • Fixed: Technologies incorrectly reported as normal vulnerabilities
    • Fix: False Negative reporting EspoCRM
    • Fixed issue causing Login Sequence Recorder to not load on Windows 10 / Windows Server 2016

    v25.1.2 - 17 Feb 2025

    Release 25.1.2 for Acunetix is for SQL Server Vulnerabilities improvements.

    Improvements

    • Moved a number of SQL Server Vulnerabilities to Technologies

    v25.1.1 - 07 Feb 2025

    New security checks Added a new check for SSRF Cloud Metadata Added a new check for Out-of-Band SSTIs Improvements Improved Information Disclosures for phpinfo Improved Username Disclosure for MS SQL Improved Database Name Disclosures Improved detection of exposed git repositories Improved coverage of checks in...

    New security checks

    • Added a new check for SSRF Cloud Metadata
    • Added a new check for Out-of-Band SSTIs

    Improvements

    • Improved Information Disclosures for phpinfo
    • Improved Username Disclosure for MS SQL
    • Improved Database Name Disclosures
    • Improved detection of exposed git repositories
    • Improved coverage of checks in Directory tests
    • Updated VDB to 20250204
    • Improved detection of Programming Error Messages

    Resolved issues

    • Fixed a false positive causing EspoCRM tech to be reported unexpectedly

    v25.1.0 - 04 Feb 2025

    New security checks Added a check for Craft CMS Development Mode enabled Added a check for Craft CMS register_argc_argv RCE (CVE-2024-56145) Added a check for Apple’s App-Site Association (AASA) file Added new checks for API9:2023 Improper Inventory Management Added new checks for API10:2023 Unsafe Consumption...

    New security checks

    • Added a check for Craft CMS Development Mode enabled
    • Added a check for Craft CMS register_argc_argv RCE (CVE-2024-56145)
    • Added a check for Apple’s App-Site Association (AASA) file
    • Added new checks for API9:2023 Improper Inventory Management
    • Added new checks for API10:2023 Unsafe Consumption of APIs
    • Added new checks for API2:2023 Broken Authentication

    New features

    • Added support for scanning web applications using Smart Card Authentication. Learn more.

    Improvements

    • Improved detection of Microsoft SQL Server as a technology
    • Improved detection of XSS
    • Updated the severity of some vulnerabilities to better reflect their impact
    • Improved detection of weak passwords
    • Improved detection of Blind XSS
    • Improved detection of SQL Injection
    • Updated scanner to never downgrade from HTTPs to HTTP

    Resolved issues

    • Improvement to launching Chromium on Windows 10 build 14393

     

    1 2 27