December 2025 Release Notes

The Command Platform release notes include information about what’s new, which are updated monthly, and improvements and fixes, which are updated weekly.

What’s New

Learn about new features across the Command Platform. These features were released over the past month and are available now:

• Risk: Exposure Command, Cloud Security (InsightCloudSec), Vulnerability Management (InsightVM)

• Threat: SIEM (InsightIDR), Cloud Security (InsightCloudSec)

• Risk

  • View Exposure Analytics in your Preferred Theme
  • Include EPSS Data in Bulk Export APIs
  • Navigate a Consistent UI with Refreshed Vulnerability Management (InsightVM) Console UI
  • Utilize Enhanced Operating System Data in Remediation Hub

• Threat

  • Explore Logs Faster with Full Screen Search
  • Accelerate Threat Investigations with Distributed Search
  • Monitor Cloud Log Readiness Across Environments

Risk

Risk is the potential for loss or damage to your assets, operations, or reputation, due to vulnerabilities being exploited by a bad actor. Security teams must assess the risk level by evaluating the likelihood of a threat occurring and the impact that it would have if realized.

View Exposure Analytics in your Preferred Theme

Exposure Analytics previously defaulted to light mode, causing visual inconsistency with Command Platform theme preferences. This update ensures the interface aligns with light theme settings for a consistent experience across Vulnerability Management (InsightVM).

With this update in Exposure Analytics, you can:

• Apply platform light theme automatically in Exposure Analytics
• Eliminate abrupt dark-to-light transitions for smoother navigation

Top of page

Include EPSS Data in Bulk Export APIs

You can now use Exploit Prediction Scoring System (EPSS) data in Vulnerability Management (InsightVM) to prioritize vulnerabilities based on the likelihood of active exploitation. This added context helps security teams focus remediation efforts on the vulnerabilities most likely to be targeted.

With this update for Bulk Exports, you can:

• Retrieve EPSS score and percentile via asset and vulnerability bulk exports
• Rank vulnerabilities by real-world exploit probability
• Target remediation on the highest-risk issues

Top of page

Navigate a Consistent UI with Refreshed Vulnerability Management (InsightVM) Console UI

The Vulnerability Management (InsightVM) console has had an updated to align its interface with the broader Rapid7 Command Platform. This refreshed UI delivers a more consistent visual experience, reducing friction when moving between solutions.

With this release in Vulnerability Management (InsightVM), you can:

• Access a modernized and aligned Security Console interface
• Continue using existing functionality with zero disruption

Top of page

Utilize Enhanced Operating System Data in Remediation Hub

Remediation Hub now has extended Operating System (OS) including OS product, version, and architecture, in addition to the existing OS family. This richer data is now visible in impacted asset details, available in filters, included in exports, and passed through to automations, enabling more precise remediation workflows.

With this update in Response & Remediation > Remediation Hub, you can:

• Gain detailed Operating System context
• Access the enhanced Operating System fields when running Automation workflows.
• Improve accuracy in assigning asset ownership

Top of page

Threat

A threat is any potential event or action that could exploit vulnerabilities in a system, causing harm to assets, data, or operations. Threats can originate from various sources, including malicious actors, natural disasters, or unintentional human errors.

• Explore Logs Faster with Full Screen Search
• Accelerate Threat Investigations with Distributed Search
• Monitor Cloud Log Readiness Across Environments

Explore Logs Faster with Full Screen Search

SIEM (InsightIDR) now includes a Full Screen Search mode that lets you expand your search workspace for uninterrupted investigations. Designed for security analysts, this enhancement eliminates the visual constraints of the default view, enabling a more immersive log analysis experience.

With this capability in Search > Log Search, you can:

• Maximize the view for deeper visibility into your log data.
• Navigate seamlessly across multiple tabs—even when expanded.
• Reduce distractions by eliminating the need to toggle between browser windows.

Top of page

Accelerate Threat Investigations with Distributed Search

A next-generation search infrastructure is now available in SIEM (InsightIDR) to accelerate your threat hunts and investigations. Distributed Search parallelizes statistical queries across multiple compute resources to deliver results faster and more reliably.

With this capability in Search > Log Search, you can:

• Achieve 35–50% faster results through parallel query execution.
• Improve reliability with distributed, atomic workloads.
• Scale efficiently for high-volume, complex analysis.

Applies only to LEQL queries using the calculate clause in this release. Faster groupby query performance is planned for Q1 2026.

Top of page

Monitor Cloud Log Readiness Across Environments

The Cloud Log Coverage dashboard card in SIEM (InsightIDR) provides visibility into logging readiness across AWS, Azure, and now GCP. Available to customers with both SIEM (InsightIDR) and Cloud Security (InsightCloudSec), this feature helps security leaders and operations teams identify gaps and track improvements over time.

With this capability in Dashboards, you can:

• Detect incomplete or misconfigured logging.
• Proactively manage cloud posture and reduce risk exposure.
• Support audit readiness and simplify stakeholder reporting.

Top of page

Improvements and Fixes

Keep track of improvements and fixes to core technology.

Application Security (InsightAppSec) and AppSpider

Version 7.5.023

Software release date: December 16, 2025 | Release notes published: December 17, 2025

New Features

• OWASP Top 10 2025 (Release Candidate)
• New Attack Template - Arbitrary Code Execution
• Remote Code Execution module improvements - New React2Shell attack.

Improved

• AppSec Scan Engine

  • Remote Code Execution module improvements include the new React2Shell attack.
  • Brute Force Form & SQL Auth Bypass modules improvements to the detection of authentication forms and successfully submitted authentication flows.
  • File Inclusion module improvements to reduce false negatives in the detection of package.json files.
  • GraphQL query generation improvements to support schemas with custom root types, complex nested input arguments, and additional scalar definitions.
  • Attack Module Updates - CVSS scores and severities have been updated for the following modules:
    • Information Disclosure in response (From Informational to High)
    • JavaScript Memory Leaks (From Informational to Low)
    • File Inclusion (From Medium to Critical)

• R7 Crawler

  • Standardized how JavaScript is executed when using the Chromium browser, improving execution consistency.
  • Improved R7Crawler certificate generate for internal HTTPS communication with the Engine.
  • Improved crawler performance by preventing duplicate discovered events from being processed.
  • Improved macro sequence handling with R7Crawler.
  • Improved closure of hanging Chromium browsers to free memory.
  • Updated the engine to correctly pass the Content Security Policy (CSP) configuration to the R7Crawler.
  • For R7Crawler, improved blur event handling to avoid certain requests hanging the browser.
  • Included detection of the latest Drupal versions.
  • Improved error message when the URL passed to the analyze endpoint is blocked.
  • Removed dependency on Windows WMIC as Microsoft has removed it from some Windows builds.

Fixed

• R7 Crawler
  • Fixed status code handling for R7Crawler responses.
  • Fixed an issue whereby a colon in an injected header value would truncate the value when using R7Crawler.

Top of page

Cloud Security (InsightCloudSec)

• Version 25.12.16
• Version 25.12.9

Version 25.12.16

Software release date: December 16, 2025 | Release notes published: December 15, 2025

Important Notes

Release 25.12.16 is the last release of 2025. The next release, version 26.1.13, is scheduled for January 13, 2026.

Improved

• AliCloud Integration Enhancement: Created a new AliCloud Python onboarding script and exposed it via API endpoints for streamlined cloud account onboarding.
• Metadata Service Security Upgrade: Migrated from IMDSv1 to IMDSv2 for all metadata calls to enhance security and follow AWS best practices.
• Bot Factory Listing: Updated the Filters Panel to be collapsible for improved user interface experience.

New Compliance Packs

• CMMC v2.0 Compliance Pack: Added comprehensive compliance pack for Cybersecurity Maturity Model Certification version 2.0.

New Query Filters

• Lake Formation External Principal Access: Identifies Lake Formation settings that have external allow principals with account IDs not managed in the organization.

New Insights

• Cache Instance Encryption at Rest and in Transit Disabled: New insight for CIS AWS Database Services Benchmark 1.0.0 Recommendation 5.3 to ensure encryption at rest and in transit is configured.

Updated Insights

• Database Cluster without Encryption at Rest: Included new remediation steps and links for DocumentDB cluster type. Changed the insight to be cloud-agnostic since it supports both GCP and AWS and made small improvements here and there to adhere to our style guide.

New Resources

• AWS Lake Formation: Added harvesting for Lake Formation resources in AWS accounts with LakeFormationHarvester.
• New AWS permission required: lakeformation:GetDataLakeSettings.

Fixed

• Fixed an issue with the download of misconfiguration reports.

Version 25.12.9

Software release date: December 9, 2025 | Release notes published: December 8, 2025

Improved

• Bot Factory Listing: Updated UI to prevent additional scrollbars in some cases.

• Updated the RestAPI resource harvesting to address false positives for SSL 3.0 and TLS 1.0/1.1/1.2 configuration in Azure API Management Service resources:

  • Removed fields: full_tls_10, full_tls_11, full_ssl_30, full_tls_12.
  • Added fields: client_tls_10, backend_tls_10, client_tls_11, backend_tls_11, client_tls_12, backend_tls_12, client_ssl_30, backend_ssl_30.

• Improvements to AWS GuardDuty ThreatFindings

  • Added ThreatFindings support for RDS Limitless DB, enabling retrieval of GuardDuty Findings for this database engine.
  • Added ThreatFindings support for Kubernetes Clusters from AWS GuardDuty for enhanced container security monitoring.
  • Updated names of AWS threat findings to more readable formats.

• Added badge and tag support to OCI Compartments.

• Upgraded SQLAlchemy to 1.4 version.

• Kubernetes Scanner

  • Released Kubernetes Scanner v4.1.16, including fixes for multiple vulnerabilities and resolving a false positive for the insight Ensure that the seccomp profile is set to docker/default in your pod definitions.
  • Internal component versions are now visible via:
    • helm show values <chart name> | grep -E 'Name:|Version:'
    • Update to new version using helm upgrade --install as referenced in documentation.

• Azure Enhancements

  • Updated Azure onboarding script to allow permission upgrades for EDH, HVA, and/or LPA.
  • Added additional permissions to Rapid7-provided Azure Gov roles.
  • Enabled additional harvesters on Azure Gov: ConditionalAccessPolicyHarvest, ContentDeliveryNetworkHarvest, HypervisorHarvest, NamedLocationHarvest, RelayNamespaceHarvest.
  • Added new harvester: ContainerAppEnvironmentHarvester with “add tags” action.
    • New permission required: Microsoft.App/managedEnvironments/read.

• Compliance Packs Updates

  • Added insights to CIS Controls v8.1.2 Compliance Pack:
    • Workspace Without Volume Encryption
    • Cloud Account Without Password Expiration Policy
    • Cloud Account Without Password Reuse Prevention
  • Added new insights Batch Pool Without Disk Encryption and Batch Environment using Cloud Managed Key Instead of Customer Managed Key to compliance packs:
    • NIST 800-53 (Rev 5)
    • Microsoft Cloud Security Benchmark
    • NIST 800-171
    • NIST Cybersecurity Framework 2.0
    • CIS Controls v8.1.2

New Query Filters

• AI Service Deployment By Sku Name (REGEX)
• Public NAT Gateway Attached To Public Subnet identifies public NAT gateway resources, which are attached to public subnets with both local and internet gateway routes.
• Private Subnet with Local and Public NAT Routes identifies private subnets that have a local route and an active public NAT route.
• Database Instance/Database Cluster Audit Logging Disabled matches database instances and/or database clusters that have audit logging disabled.
• Batch Pool Disk Encryption Targets allows users to filter Batch Pool resources using any combination of `Disk Encryption Targets.
• Workspace Without MFA Enabled (AWS) identifies workspaces that do not have Multi-Factor Authentication (MFA) enabled.

Updated Query Filters

• Updated Content Delivery Network With Specified Security Policy Query Filter to include 2 new Security Policy SSL Protocols options: TLSv1.3_2025 and TLSv1.2_2025.
• Added sku_name field to AI Service Deployment By Sku Name (REGEX) Query Filter.
• Updated Rest API Has TLS Enabled and Rest API Has SSL Enabled Query Filters to use new fields. Protocol is now treated as enabled if it is enabled for either Client or Backend communication.
• Added new Or flag to RestAPI Has TLS Enabled Query Filter for flexible matching.
• Updated alerting policies for network gateway changes in Cloud Account Oracle CIS Alerting Policy Missing Query Filter and Cloud Account Missing Event Rule And Notification For Network Gateway Changes insight.
• Renamed Query Filter App Stream Fleet Not Using VPC (AWS) to App Stream Fleet Not Using Securely Configured VPC.
• Query Filter Batch Environment Invalid Diagnostic Logging Configuration (Azure) and its associated insight have been updated to include the “AuditLog” diagnostic log category.
• Renamed Query Filter Batch Environment Using Encryption Type (Azure) to Batch Environment Encryption Type (Azure).
• Deprecated Query Filter Database Instance Vulnerability Assessment Not Associated with Storage Account and corresponding insight. Removed deprecated insight from all compliance packs.

New Insights

• Database Cluster With Upcoming Maintenance for AWS DocumentDB.
• Cache Instance Encryption at Rest and in Transit Disabled for CIS AWS Database Services Benchmark 1.0.0 Recommendation 5.3.
• Database Cluster With Audit Logging Disabled matches database clusters with audit logging disabled.
• Database Cluster without Encryption at Rest updated description.
• Batch Pool Without Disk Encryption highlights Azure Batch Pools resources that have disk encryption disabled.
• Batch Environment using Cloud Managed Key Instead of Customer Managed Key highlights Azure Batch Account resources using Microsoft-managed keys for encryption.
• Database Instance with Vulnerability Assessment Disabled
• App Stream Fleet Not Using Securely Configured VPC (renamed from previous)
• Workspace Without Multi-Factor Authentication identifies Workspaces that do not have Multi-Factor Authentication Enabled.

Updated Insights

• Renamed insight App Stream Fleet Not Using VPC (AWS) to App Stream Fleet Not Using Securely Configured VPC.
• Updated description and name for insight Distributed Table Encryption Disabled.
• Updated link for insight Volume Encrypted using Cloud Managed Key (Detached).
• Updated insight Volume Encrypted using Cloud Managed Key (Attached) to match latest CIS benchmark.

New and Updated Resources

• Added sku_name field to AI Service Deployment resource.
• Added new “connectivity_type” attribute to NAT gateway resources.
• Updated the BatchEnvironmentHarvester to harvest disk_encryption_targets data for Batch Pool resources.

Fixed

• Resolved false positive for insight Ensure that the seccomp profile is set to docker/default in your pod definitions in Kubernetes Scanner.
• Fixed an issue where vulnerabilities without remediation still appeared when the HAS_REMEDIATIONS filter was used.
• Fixed false positive issues for Query Filters:
  • Database Instance Vulnerability Assessment (Classic Configuration) Without Configured Email Notifications
  • Database Instance Vulnerability Assessment (Classic Configuration) Without Email Notifications To Admins
  • Database Instance Advanced Data Security Enabled
• Prevented HsmClusterHarvester from running in regions without HSM Cluster service.
• Fixed false positive issues for Oracle Query Filters related to Password Policies.
• Fixed an issue in Oracle Cloud where deleting a user account could fail due to a missing compartment attribute. The process now uses the correct account ID, ensuring user group memberships are listed properly.
• Restored get_missing_permissions() to work with the filter “Cloud Account With Impaired Visibility”.

Top of page

SIEM (InsightIDR)

No updates released at this time.

Top of page

Vulnerability Management (InsightVM)

• 8.32.2
• 8.32.1
• 8.32.0
• 8.31.0

Version 8.32.2

Software release date: Dec 17, 2025 | Release notes published: Dec 16, 2025

Improved:

• We resolved a visual styling issue in the Security Console where dropdown text in the Filtered Asset Search was difficult to read when using Microsoft Edge. The updated styling enhances readability and ensures a consistent experience across supported browsers.

Version 8.32.1

Software release date: Dec 10, 2025 | Release notes published: Dec 10, 2025

Improved:

• Restored the original behavior of Policy Details report generation to ensure stability while additional optimizations are developed.

Version 8.32.0

Software release date: Dec 10, 2025 | Release notes published: Dec 9, 2025

Improved:

• Enhanced the Scan Assistant to support Linux systems using glibc versions earlier than 2.32. The application is now produced as a pure Golang binary, removing dependencies on specific glibc versions. This update broadens compatibility across a wider range of Linux distributions.
• The Risk and Assets Over Time graphs now display the full expected trend range based on the configured scan retention period, or the standard default period when no custom setting is applied.
• Enhanced report generation performance and disk utilization for Policy Details reports. This improves behavior around how temporary swap files are handled and reduces excessive disk consumption during report generation.
• Enhanced CIS SQL Server policies to improve rule execution and assessment accuracy. SQL queries in several rules have been updated to ensure they run successfully across supported SQL Server versions.
• Implemented general improvements to API reliability and Platform-connected workflows to ensure a smoother and more consistent experience.
• Fixed an issue that could lead to inconsistent compliance results when running multiple scans on the same asset.

New:

• New Policy Content: Support has been added for the following versions of CIS and DISA STIG benchmarks to enable organizations to adhere to the latest security best practices:
  • Linux:
    • CIS Red Hat Enterprise Linux 10 Benchmark v1.0.1
    • CIS Red Hat Enterprise Linux 9 STIG Benchmark v1.0.0
  • Microsoft Windows Server:
    • CIS Microsoft Windows Server 2022 STIG Benchmark v3.0.0
    • CIS Microsoft Windows Server 2016 STIG Benchmark v4.0.0
    • CIS Microsoft Windows Server 2016 Benchmark v4.0.0
    • DISA Microsoft Windows Server 2022 STIG V2R4
  • Microsoft Windows Client:
    • CIS Microsoft Intune for Windows 10 Benchmark v4.0.0
    • DISA Microsoft Windows 10 STIG Version 3, Release 5
  • Databases:
    • DISA STIG Oracle MySQL 8.0 Benchmark V2R2

Version 8.31.0

Software release date: Dec 3, 2025 | Release notes published: Dec 1, 2025

Improved:

• Optimized OS Remote Execution Fingerprinting to significantly reduce scan duration and resource usage. To enable, set the custom property: com.rapid7.remoteexecution.fingerprinting.optimize=true
• Improved Oracle SID Enumeration Stability: Addressed a stability issue where the Oracle SID enumeration thread could stall for extended periods when scanning misbehaving endpoints, potentially impacting overall scan performance. To prevent indefinite stalling, the Scan Engine now introduces a Failure Threshold mechanism:
  • The engine enforces a default limit of 5 consecutive enumeration failures. If this limit is reached, the thread will exit to preserve scan stability.
  • Default Exclusions: The failure count will not be triggered by the following common error codes: ORA-12504, ORA-12505, ORA-01005, ORA-01017, ORA-12537, and ORA-28000. This threshold and error codes can now be customized.
  • Custom Configuration Properties: The following custom properties are now available to change the default failure limit and the error codes:
    • com.rapid7.oracle.bootstrap.failure.limit: Sets the number of allowed failures before stopping (Default: 5). Set to 0 to disable this feature.
    • com.rapid7.oracle.bootstrap.failure.codes: Defines which specific Oracle error codes contribute to the failure count.
    • com.rapid7.oracle.bootstrap.exclude.failure.codes: Defines Oracle error codes that should be ignored when counting failures (this takes precedence over the inclusion list).

Top of page

Nexpose

• 8.32.2
• 8.32.1
• 8.32.0
• 8.31.0

Version 8.32.2

Software release date: Dec 17, 2025 | Release notes published: Dec 16, 2025

Improved:

• We resolved a visual styling issue in the Security Console where dropdown text in the Filtered Asset Search was difficult to read when using Microsoft Edge browser. The updated styling enhances readability and ensures a consistent experience across supported browsers.

Version 8.32.1

Software release date: Dec 10, 2025 | Release notes published: Dec 10, 2025

Improved:

• Restored the original behavior of Policy Details report generation to ensure stability while additional optimizations are developed.

Version 8.32.0

Software release date: Dec 10, 2025 | Release notes published: Dec 9, 2025

Improved:

• Enhanced the Scan Assistant to support Linux systems using glibc versions earlier than 2.32. The application is now produced as a pure Golang binary, removing dependencies on specific glibc versions. This update broadens compatibility across a wider range of Linux distributions.
• The Risk and Assets Over Time graphs now display the full expected trend range based on the configured scan retention period, or the standard default period when no custom setting is applied.
• Enhanced report generation performance and disk utilization for Policy Details reports. This improves behavior around how temporary swap files are handled and reduces excessive disk consumption during report generation.
• Enhanced CIS SQL Server policies to improve rule execution and assessment accuracy. SQL queries in several rules have been updated to ensure they run successfully across supported SQL Server versions.
• Implemented general improvements to API reliability and Platform-connected workflows to ensure a smoother and more consistent experience.
• Fixed an issue that could lead to inconsistent compliance results when running multiple scans on the same asset.

New:

• New Policy Content: Support has been added for the following versions of CIS and DISA STIG benchmarks to enable organizations to adhere to the latest security best practices:
  • Linux:
    • CIS Red Hat Enterprise Linux 10 Benchmark v1.0.1
    • CIS Red Hat Enterprise Linux 9 STIG Benchmark v1.0.0
  • Microsoft Windows Server:
    • CIS Microsoft Windows Server 2022 STIG Benchmark v3.0.0
    • CIS Microsoft Windows Server 2016 STIG Benchmark v4.0.0
    • CIS Microsoft Windows Server 2016 Benchmark v4.0.0
    • DISA Microsoft Windows Server 2022 STIG V2R4
  • Microsoft Windows Client:
    • CIS Microsoft Intune for Windows 10 Benchmark v4.0.0
    • DISA Microsoft Windows 10 STIG Version 3, Release 5
  • Databases:
    • DISA STIG Oracle MySQL 8.0 Benchmark V2R2

Version 8.31.0

Software release date: Dec 3, 2025 | Release notes published: Dec 1, 2025

Improved:

• Optimized OS Remote Execution Fingerprinting to significantly reduce scan duration and resource usage. To enable, set the custom property: com.rapid7.remoteexecution.fingerprinting.optimize=true
• Improved Oracle SID Enumeration Stability: Addressed a stability issue where the Oracle SID enumeration thread could stall for extended periods when scanning misbehaving endpoints, potentially impacting overall scan performance. To prevent indefinite stalling, the Scan Engine now introduces a Failure Threshold mechanism:
  • The engine enforces a default limit of 5 consecutive enumeration failures. If this limit is reached, the thread will exit to preserve scan stability.
  • Default Exclusions: The failure count will not be triggered by the following common error codes: ORA-12504, ORA-12505, ORA-01005, ORA-01017, ORA-12537, and ORA-28000. This threshold and error codes can now be customized.
  • Custom Configuration Properties: The following custom properties are now available to change the default failure limit and the error codes:
    • com.rapid7.oracle.bootstrap.failure.limit: Sets the number of allowed failures before stopping (Default: 5). Set to 0 to disable this feature.
    • com.rapid7.oracle.bootstrap.failure.codes: Defines which specific Oracle error codes contribute to the failure count.
    • com.rapid7.oracle.bootstrap.exclude.failure.codes: Defines Oracle error codes that should be ignored when counting failures (this takes precedence over the inclusion list).

Top of page

Digital Risk Protection (Threat Command)

No updates released at this time.

Top of page

Rapid7 Agent (Insight Agent)

Software Release Date: December 2, 2025 | Release Notes Published: December 2, 2025

Agent Installer Experience Redesigned: The Agent Installers tab has been renamed to Installers, and the page has been redesigned for faster, more intuitive navigation:

• Simplified layout with clearly labeled tabs for Agent and Add-Ons (if licensed).
• New section headers, Installation Method and Available Installers, for easier navigation.
• Quick version access with Locked, Current, and Previous Releases tabs.

To view the changes, go to Data Connectors > Agents > Installer(s).

Top of page

Next-Generation Antivirus

Software Release Date: December 2, 2025 | Release Notes Published: December 2, 2025

You can now download NGAV installers directly from the Command Platform, no support ticket required.

To access the installer files:

1. Go to Data Connectors > Agents > Installers > Add-Ons (if licensed).
2. Select Next-Generation Antivirus.
3. Download and install both components: Endpoint Service and NGAV Service.

Top of page

Ransomware Prevention

Software Release Date: December 2, 2025 | Release Notes Published: December 2, 2025

The Ransomware Prevention installer is now available for direct download from the Command Platform.

To access the installer file:

1. Go to Data Connectors > Agents > Installers > Add-Ons (if licensed).
2. Expand Ransomware Prevention.
3. Select and download the installer for your operating system.

Top of page

Velociraptor

No updates released at this time.

Top of page