September 2025 Release Notes

The Command Platform release notes include information about what’s new, which are updated monthly, and improvements and fixes, which are updated weekly.

What’s New

Learn about new features across the Command Platform. These features were released over the past month and are available now:

• Attack surface: Attack Surface Management, Exposure Command

• Risk: Vulnerability Management, Continuous Red Teaming

  • Prioritize high-impact fixes with Remediation Hub for Vulnerability Management (InsightVM)
  • Validate internal segmentation controls with Vector Command Advanced
  • Explore Vulnerability Management (InsightVM) with refreshed visuals

• Threat: SIEM, MDR, MTC

  • Empower faster threat detection with AI-Powered Log Search
  • Simplify GCP SCC Alerts with Triage-as-Code
  • Add rich asset context to GCP SCC alerts with ICS enrichment
  • Enhance Threat Coverage with Migrated Detection Rules

• Administration: Application Security, Exposure Command

  • Sync vulnerability updates using ServiceNow’s new Yokohama AI

Attack surface

Your attack surface is comprised of all of the potential entry points that attackers could exploit across your systems, applications, and networks. Developing knowledge of your attack surface is a key goal in improving your company’s security posture.

Top of page

Risk

Risk is the potential for loss or damage to your assets, operations, or reputation, due to vulnerabilities being exploited by a bad actor. Security teams must assess the risk level by evaluating the likelihood of a threat occurring and the impact that it would have if realized.

• Prioritize high-impact fixes with Remediation Hub for Vulnerability Management (InsightVM)
• Validate internal segmentation controls with Vector Command Advanced
• Explore Vulnerability Management (InsightVM) with refreshed visuals

Prioritize high-impact fixes with Remediation Hub for Vulnerability Management (InsightVM)

In Vulnerability Management (InsightVM), Remediation Hub is now available to all customers, bringing data-driven remediation guidance to the forefront of your vulnerability management strategy. Powered by the threat-aware Active Risk Score, this feature enables teams to reduce risk faster and more efficiently.

With this capability from Response & Remediation > Remediation Hub, you can:

• Accelerate risk reduction by targeting remediations that eliminate large volumes of vulnerabilities in bulk.
• Minimize rework with intelligent supersedence logic that identifies the most effective fix.
• Maximize team productivity by focusing effort where it has the highest impact.

Top of page

Validate internal segmentation controls with Vector Command Advanced

In Continuous Red Teaming (Vector Command Advanced), this new managed services offering goes beyond visibility by proving exposure and segmentation effectiveness, bridging the gap between alerts and actionable control validation, and delivering compliance-ready evidence for PCI, ISO, NIST, and internal audits.

With this capability from Findings > Red Team Findings, you can:

• Conduct a goal-based internal penetration test and segmentation test each year.
• Generate compliance-ready evidence for frameworks like PCI, ISO, and NIST.
• Receive persistent reconnaissance of your external attack surface to discover internet-facing assets.
• Review expert-vetted findings to drive prioritization and incorporate expert remediation guidance.

Top of page

Explore Vulnerability Management (InsightVM) with refreshed visuals

In Vulnerability Management (InsightVM), the cloud-based experience has been updated to align with other user interfaces on the Command Platform. This refresh modernizes colors, fonts, and styling, bringing consistency across the Command Platform without changing how you use our solutions.

With this update in Vulnerability Management, you can:

• Use a consistent and accessible visual language across the Command Platform.
• Navigate without needing to learn new workflows.
• Benefit from updated styling for 30+ components, including buttons, tables, and tooltips.

Top of page

Threat

A threat is any potential event or action that could exploit vulnerabilities in a system, causing harm to assets, data, or operations. Threats can originate from various sources, including malicious actors, natural disasters, or unintentional human errors.

• Empower faster threat detection with AI-Powered Log Search
• Simplify GCP SCC Alerts with Triage-as-Code
• Add rich asset context to GCP SCC alerts with ICS enrichment
• Enhance Threat Coverage with Migrated Detection Rules
• Visualize detection coverage with MITRE ATT&CK mapping

Empower faster threat detection with AI-Powered Log Search

In SIEM, Managed Detection and Response (MDR), and Managed Threat Complete (MTC), searching logs can be slow and error-prone. Now, you can write queries in plain language to uncover threats more quickly.

With this capability from Alerts > Log Search, you can:

• Generate queries using natural language instead of LEQL syntax.
• Reduce troubleshooting time with proactive, contextual suggestions.
• Improve accessibility for new or non-technical analysts.

Top of page

Simplify GCP SCC Alerts with Triage-as-Code

In SIEM, MDR, and MTC, alerts from Google Cloud SCC are now automatically translated into plain language using Triage-as-Code (TRaC). This reduces complexity and makes alerts easier to prioritize and act on.

With this capability from Alerts, you can:

• Understand GCP SCC alerts more clearly to speed up triage and response.
• Reduce errors caused by misinterpreting technical alert language.
• Empower less specialized analysts to confidently manage cloud alerts.

Top of page

Add rich asset context to GCP SCC alerts with ICS enrichment

In SIEM, MDR, and MTC (requires an active Cloud Security account), Google Cloud Security Command Center (SCC) alerts now include deeper context through enrichment from Cloud Security (InsightCloudSec). Asset details, vulnerabilities, misconfigurations, and identity data are added directly to SCC alerts, giving analysts immediate visibility.

With this capability from Alerts, you can:

• Understand GCP SCC alerts more clearly to speed up triage and response.
• Reduce errors caused by misinterpreting technical alert language.
• Empower less specialized analysts to confidently manage cloud alerts.

Top of page

Enhance Threat Coverage with Migrated Detection Rules

In SIEM, the Detection Library continues to expand, delivering faster and broader threat coverage. This month, seven legacy rules and five third-party source rules have been migrated into the unified library.

With this capability from Intelligence > Detection Rules, you can:

• Detect high-risk activities such as watched or admin-led password resets with new rules.
• View migrated User Behavior Analytics (UBA) rules in a single library.
• Gain faster insights with consistent access to rules.

Upcoming rule retirements:

• Account Received Suspicious Link
• Blacklisted Authentication

Top of page

Explore detections faster with the refreshed MITRE ATT&CK matrix in InsightIDR

We’ve redesigned the MITRE ATT&CK matrix in InsightIDR with a modernized interface and deeper detection insights to help you triage faster and investigate more effectively.

With this update in Detection Rules > MITRE ATT&CK Matrix, you can:

• Use a fully refreshed UI for a more intuitive experience.
• Access a new detailed technique view that includes direct MITRE ATT&CK context for enhanced investigation.
• View enriched detection rule data: See priority level, rule action, and how many times each detection has fired.

Top of page

Administration

Administration focuses on refining platform controls, improving navigation, and enhancing user management. Updates streamline permissions, configurations, and logging, creating a more intuitive and efficient experience for administrators.

• Sync vulnerability updates using ServiceNow’s new Yokohama AI

Sync vulnerability updates using ServiceNow’s new Yokohama AI

In Application Security (InsightAppSec) and Exposure Command, Rapid7’s integrations with ServiceNow ITSM and Application Vulnerability Response (AVR) are now certified on ServiceNow’s Yokohama release. This ensures compatibility and access to new ServiceNow features with no configuration changes required for existing users.

With this capability from ServiceNow’s Appstore, you can:

• Sync vulnerability updates directly to ServiceNow without switching platforms.
• Automatically pull newly discovered vulnerabilities into ServiceNow for streamlined triage.
• Reduce manual data entry and duplication, improving DevOps collaboration.

Top of page

Improvements and Fixes

Keep track of improvements and fixes to core technology.

Application Security (InsightAppSec) and AppSpider

Engine Version: 7.5.021 / Enterprise Version: 3.8.240

Software release date: September 11, 2025 | Release notes published: September 17, 2025

Improved

• R7 Crawler

  • An optional internal proxy was added to improve how headers are handled and to support request blocking and JavaScript injection.
  • Upgraded Playwright and associated Chromium versions.
  • Cleanup of inactive browsers has been improved.
  • Added detection for Drupal versions 10.5.1, 10.5.3, 11.2.1, 11.2.2, 11.2.3, and 11.2.4.
  • Improved Accept header handling.
  • Anti-bot detection was improved by setting browser security headers to match the user-agent.
  • Handling of page loads with a JavaScript redirect has been improved.
  • Enhanced the detection of the prompt phase for JavaScript macros.
  • CPE data was removed due to lack of granularity. analyze.json was updated to add new technologies.

• Scan Engine

  • Added logging to highlight JavaScript Engine misconfiguration during LLM attacking scans.
  • Blind NoSQLi improvements were made to reduce false positives.
  • JSON injection attacks are now limited to JSON content types to help reduce false positives.

• AppSpider Pro UI

  • Scan configuration validation was enhanced to prevent duplicate names and improve directory conflict handling.
  • Improved scan data directory permission policies and validation.

• AppSpider Enterprise

  • A new Critical severity rating is now supported, aligning with the AppSpider engine.
  • The Scan Config was updated to align with the new AppSpider engine release version 7.5.021.
  • Cloud engine provisioning has been removed from the Client setup dialog.

Fixed

• R7 Crawler

  • An issue validating the login URL with postData has been resolved.
  • Low-value events are no longer generated.
  • The startedDateTime field is now preserved to allow traffic logs to report the correct date and time.

• Scan Engine

  • An issue where a chatbot URL matching a seed URL would prevent LLM attacks has been resolved.

• AppSpider Pro UI

  • An issue that prevented some modules from loading in the UI has been resolved.

Top of page

Remediation Hub

You may notice a decrease in your overall Risk Score and Vulnerability Count within Remediation Hub as a result of improvements we’ve made to enhance accuracy and deliver faster loading times. Asset Counts should remain the same or very similar.

Top of page

Cloud Security (InsightCloudSec)

• Version 25.9.9
• Version 25.9.16
• Version 25.9.23

Version 25.9.9

Software release date: September 9, 2025 | Release notes published: September 8, 2025

Improved

• CVA Local Scanner now runs as non-root user.
• CVA Local Scanner: Added SSL_NO_VERIFY flag to skip TLS verification for pulling images.
• Updated Authentication Servers page to use the Modern UI, removes toggle to switch back to old experience.
• Updated LPA Automation Deployment Subscription process to accept a customizable Resource Group name for Event Grid System Topic deployment in Azure Subscription.
• Upgraded all Alicloud Dependencies to the latest version.
• OCI secrets policies were set from read to inspect.
• Added a new Misconfigurations Experience, replacing the Compliance Scorecard. Users can still access the old experience.
  • The Compliance Scorecard Report has been renamed to Misconfiguration Report, featuring improved navigation to Compliance Packs, consistent naming conventions, and tagging for ownership context.
  • Faster performance at scale — optimized response times, even in large environments.
  • Simplified remediation workflows — identify, prioritize, and resolve misconfigurations with fewer steps.
  • Granular exemption filtering — more precise control over compliance exceptions.
  • Unified visibility — view all misconfigurations in one place and pivot seamlessly between compliance and security insights.

Insights

• Added new insight for Recommendation 5.4 CIS AWS End User Compute Services Benchmark 1.2.0:
  • AppStream Fleets with Disconnect Timeout Exceeding 5 Minutes
• Added new insight for Recommendation 5.5 CIS AWS End User Compute Services Benchmark 1.2.0:
  • AppStream Fleets with Idle Disconnect Timeout Exceeding 10 Minutes
• Added new insight for Recommendation 5.6 CIS AWS End User Compute Services Benchmark 1.2.0, CIS Controls V8.1.2:
  • App Stream Fleet Without Default Internet Access
• Added insight App Stream Fleet Maximum Session Duration Greater Than 10 Hours (maps to CIS AWS End User Compute Services Benchmark v1.2 Recommendation 5.3).
• Enhanced Insight and FedRAMP Moderate Controls mapping accuracy.
• AU controls added to FedRAMP Low Baseline.
• Deprecated: Compliance Pack FedRAMP Moderate Controls. Replacement: Compliance Pack FedRAMP Moderate Baseline.

Query Filters

• Added Access Key Authentication Enabled and Microsoft Entra Authentication Enabled to the Properties section of the Resource Type mcinstance.
• Added Shared File System Resource Support for OCI when running Resource Encrypted With Cloud Managed Key Query Filter.
• Added new Query Filter Access List Exposes All Ports to Private IP Range for all cloud types (identifies ICS Access Lists which expose all ports to an IP range that is RFC 1918 or belongs to the Unique Local Address range).
• Added Query Filter Instances Associated With Elastic Kubernetes Service (EKS) to identify AWS instances associated with a parent EKS cluster.
• Added Query Filter for Recommendation 5.4 CIS AWS End User Compute Services Benchmark 1.2.0:
  • AppStream Fleets with Disconnect Timeout Over 5 Minutes
• Added Query Filter for Recommendation 5.5 CIS AWS End User Compute Services Benchmark 1.2.0:
  • AppStream Fleets with Idle Disconnect Timeout Over 10 Minutes
• Added Query Filter: App Stream Fleet Max User Duration Exceeds (AWS) (identifies App Stream Fleets with a max user duration exceeding a specified amount).
• Added new Query Filters for Azure Managed Grafana Services:
  • Managed Grafana Public Network Access Enabled/Disabled
  • Managed Grafana Invalid Diagnostic Logging Configuration
  • Managed Grafana Instance Without Multi-AZ deployment
  • Select Managed Grafana Instance by Major Version
  • Managed Grafana Instance Using/Not Using Deterministic IPs
  • Managed Grafana Instance Allows API Key Creation
• Added a check box for Query Filter: Instance Without Block Project-wide SSH Keys Enabled (Exclude Vertex AI Made Instances).

Fixed

• Fixed a bug where accessing the Insights tab and scoping by Application would incorrectly result in no Insights being returned.
• Fixed issue causing Attack Paths page to occasionally not load properly.
• Fixed incorrect redirect URLs in SAML and Azure Active Directory authentication servers.
• Fixed JSON serialization error for Decimal types in DailyMetricsReporter.
• Improved performance of layered context listing when using the include_insight_ids parameter.
• Removed Azure GOV support for the Network Invalid Diagnostic Logging Configuration Query Filter (configuration cannot be set on this Cloud).
• Removed support for StorageAccounts from the Resource Without Azure Monitor Logging Configured Insight and Resource Without Diagnostic Settings (Azure) Query Filter.
  • Presence of Diagnostic Settings for Storage Accounts is now verified by:
    • Storage Account Blob Service Logging Disabled (Insight)
    • Storage Account Queue Service Logging Disabled (Insight)
    • Storage Account Table Service Logging Disabled (Insight)
    • Storage Account Service Diagnostic Setting Disabled (Query Filter)
• Updated Database Instance Threat Detection Disabled Query Filter to exclude Database Instance engines which cannot have Threat Detection set (eliminates false positives).
• Updated Database Instance Vulnerability Assessment Without Email Notifications To Admins Query Filter to exclude Database Instance engines which cannot have email subscription to admins set (eliminates false positives).
• Updated the Query Filter Access List Contains Public IPs to filter out IPs using the APIPA range (resources flagged incorrectly despite being non-routable).
• Updated Kubernetes Clusters page to support sorting by Harvesting Types (remote and local).
• Made fixes to Instance Confidential Computing Configuration (resources now appear correctly)
• Fixed harvesting of createdAt and updatedAt properties values for Azure Service Bus Namespace,

Version 25.9.16

Software release date: September 16, 2025 | Release notes published: September 15, 2025

Improved

• Enhanced GCP domain delegation handling to prevent cloud account disabling when DomainGroupHarvester encounters invalid credentials, ensuring valid credentials continue to work for other harvesters.
• Added Subscribing status indicator for Automatic LPA deployments in Azure to show when resources are being deployed within the subscription.
• Enhanced network-based public accessibility assessments by including Prefix List addresses used in Security Groups, reducing potential false positives in networking configurations.
• Added support for App Stream Private Image resource with new AppStreamImageHarvester:
  • Supports private images for CIS compliance controls.
  • AWS-managed public images are excluded as they cannot be modified by customers and fall outside security assessment scope.
  • New required permissions: appstream:DescribeImages.
• Added Distributed Table resource support for OCI when running Resource Encrypted With Cloud Managed Key Query Filter.
• Added support for Azure Service Bus Namespace Topic (ICS Name: Message Topic).
• Added Delete Action and Tagging Action capabilities.

Insights

• Added Workspace Directory With Enabled Web Access.
• Added AppStream Fleet Running Image Older Than 30 Days.
• Removed Volume Encrypted using Cloud Managed Key Instead of Customer Managed Key (Deprecating) from all 20 compliance packs it was in. Added **Volume Encrypted using Cloud Managed Key Instead of Customer Managed Key ** instead due to the recent CIS OCI 3.0 audit/compliance pack updates.

Query Filters

• Added Workspace Directory With Enabled Web Access Query Filter.
• Added App Stream Fleet Private Image Creation Date Query Filter.
• Added new Query Filters for Azure Service Bus Namespace Topics:
  • Message Topic Minimum TLS Version
  • Message Topic Type
  • Message Topic Subscription Count Exceeds
  • Message Topic Managed Encryption Key
  • Message Topic Message Count Exceeds
  • Message Topic Enable Batched Operations
  • Message Topic Enable Express
  • Message Topic Enable Partitioning
  • Message Topic Enable Support Ordering
  • Message Topic Required Duplicate Detection

Fixed

• Fixed bug in Resource Listing where editing a query filter in an insight would not always display all filter fields.
• Fixed inconsistency on First Detected Date for CVM Vulnerabilities.
• IaC: Fixed memcache cluster converter [CFT][AWS].
• IaC: Added support for aws_opensearch_domain [TF][AWS].

Version 25.9.23

Software release date: September 23, 2025 | Release notes published: September 22, 2025

Improved

• Release Local CVA Scanner v25.9.15
  • CVA Local Scanner now runs under normal user permissions instead of root access, enhancing security posture.
  • Added new optional environment variable SSL_NO_VERIFY that can be set to "true" to disable SSL verification (SSL verification is enabled by default).
  • Added new optional environment variable SCAN_SCHEDULE to modify scan schedule interval in seconds, allowing customizable scan frequency (default remains 2 hours or 7200 seconds).
    • Example usage: SCAN_SCHEDULE="3600" for hourly scans.
  • CRON_SCHEDULE environment variable is deprecated and will no longer be used for defining scan schedule intervals.
• Enhanced Azure MLWorkspaceHarvester to collect additional information about ML Instances, specifically root user access permissions.
• Updated CIS Kubernetes benchmarks from version 1.10.0 to 1.11.1, providing latest security standards.
• Updated calls to retrieve available S3 buckets for Cloud Storage Subscriptions, improving performance.
• Reduced false positives in Public Accessibility path assessment for Container Deployments and Container Clusters by improving evaluation of Route Table Routes and Web Application Firewall/Security Group/Access List rules.

New Insights

• Ensure that the seccomp-default parameter is set to true - Validates secure computing mode configuration.
• Ensure that the API Server only makes use of Strong Cryptographic Ciphers - Verifies cryptographic security standards.
• Ensure that the service-account-extend-token-expiration parameter is set to false - Controls service account token expiration settings.
• Workspace Directory With Disabled Maintenance Mode - Identifies workspace directories not in maintenance mode.
• App Stream Fleet Not Using VPC - Maps to CIS AWS End User Compute Services Benchmark v1.2 Recommendation 5.1, identifies App Stream Fleets not using a VPC with private subnets (in at least 2 availability zones) and a NAT gateway.

New Query Filters

• Machine Learning Instance Allowing Root Access - Now supports Azure platform.
• Machine Learning Instance Preventing Root Access - Now supports Azure platform.
• Workspace Directory With Disabled Maintenance Mode - Identifies workspace directories with disabled maintenance mode.
• App Stream Fleet Not Using VPC (AWS) - Identifies App Stream Fleets not using a VPC with private subnets (in at least 2 availability zones) and a NAT gateway.

Compliance Packs

• Updated insights content for CIS OCI 3.0 Compliance Pack to reflect current standards and remove outdated content.

Fixed

• Resolved issue within the AWS:InstanceFlavorHarvester where ‘Metal’ RDS Database Instance Class values were causing harvesters to fail.

Top of page

SIEM (InsightIDR)

Release notes published: Sep 15, 2025

Improved:

• SIEM pages have some new icons and descriptions for a more unified user experience across our platform.
• Removed the Google Cloud Platform Security Command Center event source, as its API has been deprecated for new customers. Existing event sources remain supported.

Fixed:

• Resolved some issues within the creation of and editing of event sources:
  • Generic Windows Logs Event Source can now be configured when using the WMI collection method.
  • The roleARN input fields are now available for SQS collection methods in the CloudTrails event source.
  • Missing collection method descriptions have been added.

Top of page

Vulnerability Management (InsightVM)

• 8.22.0
• 8.21.0
• 8.20.0
• 8.19.1

Version 8.22.0

Software release date: Sep 24, 2025 | Release notes published: Sep 22, 2025

Improved:

• A new background maintenance task has been introduced to remove unused (orphan) asset data from the Security Console, helping to reduce database size and improve performance over time.

• Enhanced the handling of WMI (Windows Management Instrumentation) service checks during scans. The application now verifies that WMI is correctly configured and operational before use, potentially reducing scan durations where WMI was previously failing.

• Optimised default HTTP connection timeout between the Scan Engine and scanned assets. This allows the scanner to fail faster when services are unreachable, improving scan reliability and user experience.

• Initiated optimization of the GET /vulnerabilities endpoint in the V3 API to improve performance and response times during high-volume queries.

• Enhanced logging for SMTP scan alerts, now providing clearer information when scans stop or fail, helping administrators respond more quickly to scan issues.

Fixed:

• Fixed an issue where Discovery Connection configurations were not functioning correctly in the new navigation UI.

• Fixed an issue in the “Start New Scan” dialog where special characters were not rendering correctly.

• Fixed an issue that impacted the accuracy of SUSE Linux Enterprise Server 15 version detection. The system now reliably identifies the correct version using the appropriate OS metadata.

Version 8.21.0

Software release date: Sep 17, 2025 | Release notes published: Sep 16, 2025

Improved:

• SUSE Linux Enterprise Server 15 support. The Rapid7 Security Console can now be hosted on SUSE Linux Enterprise Server 15, expanding supported operating systems and deployment flexibility.
• The Console v3 API documentation has been updated to the OpenAPI v3.1.0 specification. API documentation is available at: /api/3/html, /api/3/json, and newly added /api/3/yaml. You can also access this via Help > API Documentation from within the security console.
• Improved the accuracy of Asset search results in Global Search when using wildcard or exact phrase queries, specifically for IPv4 addresses and hostnames.

Fixed:

• Fixed an issue where non-admin users received an incorrect response code when attempting to create a Discovery Connection resource via API.
• Resolved multiple user interface issues to improve clarity and accessibility. These included fixes for inaccurate notification count in the notification center, proper display and accessibility of the Insight Platform login banner, and correct rendering of special characters in site names.
• Resolved an issue to ensure error messaging is displayed if user deletion fails to complete successfully.
• Fixed a defect where long custom tags caused styling issues in the dropdown menu on the Site Details page.
• The delete tag function has been restricted to ensure that only users with global manage tag permissions can delete tags across Sites and Asset Groups.

Version 8.20.0

Software release date: Sep 09, 2025 | Release notes published: Sep 09, 2025

Fixed:

• Implemented a fix to improved scan reliability when analyzing WAR file contents.

• Resolved an issue preventing redirect to the reset password page during required password changes at login.

• Corrected a CPE reference in the CIS Microsoft Windows Server 2016 STIG policy to ensure accurate policy mapping.

• Fixed check logic for Rule 18.9.25.3 in the CIS Windows Server 2022 v3.0.0 benchmark.

Version 8.19.1

Software release date: Sep 01, 2025 | Release notes published: Sep 04, 2025

Fixed:

• Resolved an issue introduced in version 8.19.0 that impacted navigation during platform user creation. Navigation now behaves as expected.

• Fixed an issue affecting the scan duration timeout limit, ensuring that scans do not run beyond acceptable thresholds.

Top of page

Nexpose

• 8.22.0
• 8.21.0
• 8.20.0
• 8.19.1

Version 8.22.0

Software release date: Sep 24, 2025 | Release notes published: Sep 22, 2025

Improved:

• A new background maintenance task has been introduced to remove unused (orphan) asset data from the Security Console, helping to reduce database size and improve performance over time.

• Enhanced the handling of WMI (Windows Management Instrumentation) service checks during scans. The application now verifies that WMI is correctly configured and operational before use, potentially reducing scan durations where WMI was previously failing.

• Optimised default HTTP connection timeout between the Scan Engine and scanned assets. This allows the scanner to fail faster when services are unreachable, improving scan reliability and user experience.

• Initiated optimization of the GET /vulnerabilities endpoint in the V3 API to improve performance and response times during high-volume queries.

• Enhanced logging for SMTP scan alerts, now providing clearer information when scans stop or fail, helping administrators respond more quickly to scan issues.

Fixed:

• Fixed an issue in the “Start New Scan” dialog where special characters were not rendering correctly.

• Fixed an issue that impacted the accuracy of SUSE Linux Enterprise Server 15 version detection. The system now reliably identifies the correct version using the appropriate OS metadata.

Version 8.21.0

Software release date: Sep 17, 2025 | Release notes published: Sep 16, 2025

Improved:

• SUSE Linux Enterprise Server 15 support. The Rapid7 Security Console can now be hosted on SUSE Linux Enterprise Server 15, expanding supported operating systems and deployment flexibility.
• The Console v3 API documentation has been updated to the OpenAPI v3.1.0 specification. API documentation is available at: /api/3/html, /api/3/json, and newly added /api/3/yaml. You can also access this via Help > API Documentation from within the security console.
• Improved the accuracy of Asset search results in Global Search when using wildcard or exact phrase queries, specifically for IPv4 addresses and hostnames.

Fixed:

• Fixed an issue where non-admin users received an incorrect response code when attempting to create a Discovery Connection resource via API.
• Resolved multiple user interface issues to improve clarity and accessibility. These included fixes for inaccurate notification count in the notification center, proper display and accessibility of the Insight Platform login banner, and correct rendering of special characters in site names.
• Resolved an issue to ensure error messaging is displayed if user deletion fails to complete successfully.
• Fixed a defect where long custom tags caused styling issues in the dropdown menu on the Site Details page.
• The delete tag function has been restricted to ensure that only users with global manage tag permissions can delete tags across Sites and Asset Groups.

Version 8.20.0

Software release date: Sep 09, 2025 | Release notes published: Sep 09, 2025

Fixed:

• Implemented a fix to improved scan reliability when analyzing WAR file contents.

• Resolved an issue preventing redirect to the reset password page during required password changes at login.

• Corrected a CPE reference in the CIS Microsoft Windows Server 2016 STIG policy to ensure accurate policy mapping.

• Fixed check logic for Rule 18.9.25.3 in the CIS Windows Server 2022 v3.0.0 benchmark.

Version 8.19.1

Software release date: Sep 01, 2025 | Release notes published: Sep 04, 2025

Fixed:

• Fixed an issue affecting the scan duration timeout limit, ensuring that scans do not run beyond acceptable thresholds.

Top of page

Digital Risk Protection (Threat Command)

No updates released at this time.

Top of page

Rapid7 Agent

Version 4.0.19.57

Software release date: Sep 18, 2025 | Release notes published: Sep 18, 2025

Fixed:

• To avoid potential exposure of sensitive information, the URLs within agent proxy errors are now sanitized when written to the agent.log file.
• We fixed a bug that caused the asset info job to incorrectly identify physical Windows endpoints as UNKNOWN instead of PHYSICAL.
• We improved registry parsing logic in winreg mode to dynamically enumerate all ControlSets and collect the ProductOptions keys from each. The ProductOptions keys contain details of the Windows OS installation that are required to successfully complete assessments.
• We fixed a bug that caused the Insight Agent’s diagnostic test to fail and exit when checking valid URLs.

Top of page

Next-Generation Antivirus (NGAV)

• Version 1.4

Version 1.4 (NGAV)

Software release period: Aug 25, 2025 - Sep 12, 2025 | Release notes published: Sep 5, 2025

New:

• View Protected Registry Paths in Alert Payloads: For alerts triggered by rules related to suspicious registry access, the payload now includes a forensic field named protectedRegistry, which shows the protected registry path the process attempted to access. This visibility enhances threat investigation and response by providing deeper context into potentially malicious behavior.

  • Appears in: SIEM (InsightIDR) > Alerts

• Service Naming Updates: Renamed “Rapid7 Endpoint Prevention” to “Rapid7 Endpoint Service” for the Next-Generation Antivirus service description. This change improves clarity and reflects broader endpoint protection capabilities.

Fixed:

• Addressed rare cases where the Driver could cause Blue Screen of Death (BSOD).
• Resolved an issue where there could be 2 installed versions of NGAV appearing in the * Windows add/removed program list.
• Fixed a performance issue with the Driver that could cause high CPU consumption.
• Fixed an issue that prevented Docker from running on Windows and could cause unexpected application crashing.

Top of page

Ransomware Prevention

• Version 1.4

Version 1.4

Software release period: Aug 25, 2025 - Sep 12, 2025 | Release notes published: Sep 5, 2025

New:

• View Protected Registry Paths in Alert Payloads: For alerts triggered by rules related to suspicious registry access, the payload now includes a forensic field named protectedRegistry, which shows the protected registry path the process attempted to access. This visibility enhances threat investigation and response by providing deeper context into potentially malicious behavior.

  • Appears in: SIEM (InsightIDR) > Alerts

• Service Naming Updates: Renamed “Rapid7 Endpoint Prevention” to “Rapid7 Endpoint Service” for the Ransomware Prevention service description. This change improves clarity and reflects broader endpoint protection capabilities.

Fixed:

• Addressed rare cases where the Driver could cause Blue Screen of Death (BSOD).
• Resolved an issue where there could be 2 installed versions of NGAV appearing in the * Windows add/removed program list.
• Fixed a performance issue with the Driver that could cause high CPU consumption.
• Fixed an issue that prevented Docker from running on Windows and could cause unexpected application crashing.

Top of page

Velociraptor

Rapid7 Velociraptor Client Version 0.74.4.4

Software release date: Sep 17, 2025 | Release notes published: Sep 17, 2025

Note: Assets will only update automatically to the latest Rapid7 Velociraptor version if Insight Platform-managed updates are enabled. For more information, read managed agent updates documentation .

Fixed

The Rapid7 Velociraptor client component has been updated to the Open Source 0.74.4 release, which addresses the following:

• Improved reliability of the Linux eBPF module.
• Correctly signed WinPmem module, ensuring it runs as expected.

Rapid7 Velociraptor Server Version 0.74.4.7

Software release date: Sep 17, 2025 | Release notes published: Sep 17, 2025

Fixed

• The Downloads Password field in User Preferences will no longer reset unexpectedly.
• If your Platform account has access to multiple Rapid7 Velociraptor organizations, the Downloads Password is now consistently applied to your user preferences across all organizations within the same data region.

Top of page