Skip to content

Release notes

Release notes
  • Version: 6.4.0
  • Build number: 13918
  • Release date: 2025-08-21 (general availability)
  • Server version: nanitor-6.4.0.13918-17166-master
  • Agent version: nanitor-6.4.0.13918-17166-master
  • Collector version: nanitor-6.4.0.13918-17166-master

Welcome to Nanitor v6.4.0! πŸš€

This release is packed with major enhancements focused on smarter vulnerability prioritization, streamlined management for multi-organization and MSP environments, and powerful customization options.

With the integration of CVSSv4, we're bringing you the next generation of vulnerability scoring for more accurate risk assessment. For our MSSP partners, we're rolling out powerful features like inherited benchmark baselines and centralized label management to simplify operations across multiple clients. Plus, new customization options like the Issue Tracker widget on the Global Dashboard and advanced report filtering give you more control over how you view and share your security data.

Highlights

Stay Ahead of Threats with CVSSv4 Support

A vulnerability detail view showing the CVSSv4 score
Vulnerability details now show the full CVSSv4 score and vector.

Nanitor now fully integrates the Common Vulnerability Scoring System version 4.0 (CVSSv4), the latest industry standard for assessing the severity of security vulnerabilities. This update provides a more granular and context-aware approach to risk prioritization.

How CVSSv4 Provides Smarter Prioritization

While previous CVSS versions consolidated a vulnerability's potential damage into a single impact score, CVSSv4 provides a more multi-faceted view. It adds new, critical aspects to the assessment, giving our prioritization engine a much richer and more intelligent starting point for calculating a vulnerability's true severity.

Key improvements that enhance Nanitor's severity scoring include:

  • Distinguishing the "Blast Radius": The most significant improvement is that CVSSv4 separately scores the direct impact on the vulnerable system and the potential downstream impact on subsequent systems. This allows Nanitor to more accurately model the severity of a vulnerability that can be used to pivot and compromise other critical parts of your network.
  • Richer Context on Inherent Difficulty: New metrics like Attack Requirements (AT) provide crucial context on the inherent difficulty of an exploit. This helps our algorithm differentiate between a vulnerability that is severe in any environment versus one that is only severe if the target system is in a rare, non-default configuration.

In Nanitor, these improvements result in a more accurate Severity score for each vulnerability. This refined score serves as a stronger foundation for our overall prioritization algorithm, which combines this potential impact with real-world exploitability data (from EPSS and CISA KEV lists) and the business criticality of your assets.

Key benefits

  • Context-Aware Prioritization: Go beyond technical severity to focus on vulnerabilities that pose the most realistic and immediate threat.
  • Future-Proof: By adopting the latest standard, Nanitor ensures you're aligned with the future of vulnerability management.
  • Seamless Integration: Nanitor automatically prefers and displays CVSSv4 data, ensuring you're always working with the best information available.

A Note on Data Availability: CVSSv4 is a new standard, and its adoption across the industry is ongoing. Currently, our primary source for CVSSv4 data is the National Vulnerability Database (NVD). You will still see many vulnerabilities with only a CVSSv3 score, as this data is often published more quickly by vendors and other sources.

Nanitor will automatically upgrade a vulnerability's score from CVSSv3 to the more detailed CVSSv4 as soon as that data becomes available from our feeds.

How to use it

This enhancement is integrated directly into Nanitor's vulnerability management workflow.

  1. Navigate to the Vulnerability Detail or Issue Detail page for any vulnerability.
  2. If CVSSv4 data is available, it will be displayed as the primary score and vector, clearly labeled as "CVSS v4.0".
  3. If not available, Nanitor will continue to show the CVSSv3 information as before, with the system poised to update it automatically in the future.

Inherited Benchmark Baselines for MSSPs

Define once, enforce everywhere: A game-changer for managing client security posture.

The 'Use parent baseline' setting in organization management
Enable baseline inheritance with a single checkbox in the child organization's settings.

For Managed Service Providers, manually configuring and maintaining consistent security baselines across dozens of clients is a major operational challenge. It’s time-consuming, prone to human error, and makes standardization difficult.

This release introduces Inherited Baselines, a powerful feature designed to eliminate this repetitive work and enforce a gold standard of security across your entire client base.

Key benefits

  • Eliminate Repetitive Work: Define your hardening standards once in the parent organization and deploy them instantly and automatically across all selected clients. No more per-customer setup.
  • Guarantee Consistency: Child organizations inherit baselines in a read-only state, preventing configuration drift and ensuring every client adheres to your proven security standard.
  • Streamline Client Onboarding: Onboard new clients in minutes. Simply create them as a suborganization, and they will automatically inherit your established, best-practice baselines.

How to use it

  1. As a parent organization admin, navigate to a child organization's settings page via Organization Management.
  2. Select the specific sub-organization you want to update.
  3. In that organization's settings, find and check the box for Use parent baseline.

Important Consideration for Existing Organizations: Enabling this feature will permanently replace the organization's current, locally-configured baselines with those inherited from the parent. This action may cause your compliance scores to change, and new issues may be created or existing ones resolved. The previous baseline configuration is not automatically saved, so we recommend reviewing your current setup before making this change.

Note on Default Behavior: For all new sub-organizations you create, this feature will be enabled by default. For your existing sub-organizations, it will be disabled by default to preserve their current settings.

An inherited benchmark baseline in a child organization
Inherited rules appear as read-only in the child organization's benchmark view.

Customizable Issue Tracker on the Global Dashboard

The Global Dashboard with Issue Tracker widgets
Pin your most important saved filters as live widgets on the Global Dashboard.

You can now create a truly custom view of your security landscape by pinning your saved issue filters directly onto the Global Dashboard. The new Issue Tracker widget lets you monitor the specific slices of data that are most important to your operations, with live counts and drill-down capabilities.

Key benefits

  • Tailored Monitoring: Create widgets to track critical vulnerabilities on production servers, newly discovered issues, or any other custom query you can build with saved filters.
  • At-a-Glance Insight: Choose between a simple Count mode for a high-level number or a Breakdown mode to see issues distributed across your top organizations.
  • Instant Drill-Down: Click on any widget to jump directly to the Issue List, pre-filtered with the exact query from your widget for immediate investigation.

How to use it

  1. From the Global Overview dashboard, click the + Add widget button.
  2. In the modal, select a Saved Issue Filter from your list.
  3. Choose the display Mode (Count or Breakdown).
  4. Click Add Widget to pin it to your dashboard. You can add multiple widgets and arrange them as you like.
The modal for adding a new Issue Tracker widget
The "Add Widget" dialog lets you select any saved issue filter.

Centralized Label Management for MSSPs

For parent organizations, managing labels across a hierarchy of child organizations can lead to inconsistencies and duplication. We've introduced a new interface to help you spot, merge, and promote labels, bringing order to your tagging strategy.

This gives you two powerful workflows for standardizing labels: merging duplicates into a single parent label, and promoting a useful label from one child so it can be used everywhere.

The Labels and Labeling Rules list showing duplicate and child-only labels.
The main view after checking "Include child labels," showing a duplicate badge and a child-only label.

Key benefits

  • Spot Duplicates Instantly: Parent labels that also exist in child organizations are now flagged with a "Duplicate" badge.
  • Merge with Confidence: Consolidate duplicate labels from child organizations into a single, authoritative parent label.
  • Promote Best Practices: Elevate a useful, child-only label to the parent level, making it inheritable and part of your standardized set.

How to use it

First, you must be in a parent organization. Navigate to Organization Management β†’ Labels and Labeling Rules and check the Include child labels box. This is essential to see all manageable labels from your sub-organizations.

1. To Merge Duplicate Labels: Look for a label with a "Duplicate" badge (e.g., 'macOS'). This indicates the same label name exists in the parent and at least one child. Use the action menu (...) and select Merge duplicate label. A confirmation dialog will appear, allowing you to merge the child label into the parent.

A step-by-step guide showing how to merge a duplicate label.
The workflow for merging a duplicate label into the parent label.

2. To Promote a Child-Only Label: Identify a label that exists only in a sub-organization (e.g., 'Linux'). Use the action menu (...) and select Promote label. This will make the label available to the entire parent organization and all of its child organizations, ensuring a consistent tag can be used everywhere.

A step-by-step guide showing how to promote a label from a child organization to the parent.
The workflow for promoting a child-only label to make it inheritable.

Improvements

  • New Microsoft 365 Foundations Benchmark: We've released a comprehensive new benchmark for securing your Microsoft 365 environment, based on CIS guidelines. This first revision automates 11 critical security controls, with more checks planned for future releases, and it replaces the older, more limited Office 365 benchmark.

    • Prerequisites: To use this benchmark, a Windows-based collector with the Microsoft.Graph PowerShell module installed is required.

  • Advanced Reporting with Saved Filters: Scheduled reports can now be filtered using your saved Asset and Issue filters, allowing for highly targeted and relevant automated reporting.

  • Filter and Label by Empty Custom Fields: You can now create automated labeling rules and filters for assets where a custom field is empty, making it easier to track data completeness and enforce asset information policies.

  • GHSA Advisories in Vulnerability Details: GitHub Security Advisory (GHSA) information is now displayed for relevant vulnerabilities, providing richer context, especially for software package vulnerabilities.

  • Full Installation Path in Vulnerability Forensics: Vulnerability forensics now include the full installation path of the affected software, helping you quickly locate specific vulnerable instances on a device.

  • Export Affected Identities to CSV: From any issue's "Identities" tab, you can now export the list of affected user accounts to a CSV file for offline analysis or reporting.

  • Improved Multi-Org Navigation: The header now features an organization context dropdown that shows your current organization, its parent, and your role. This makes it much easier for MSP users to navigate complex organization hierarchies.

  • Enhanced macOS Software Inventory: The Nanitor Agent now collects software information from the /Library directory on macOS devices, providing a more complete and accurate software inventory.

  • OS Icons in Asset Views: Asset lists and detail pages now display icons for the operating system (Windows, Linux, macOS, etc.), making it easier to identify assets at a glance.

  • Nanitor Scanner Updates: We've made minor improvements to the standalone nanitor-scanner, including better network interface detection and more intuitive command-line arguments.

  • Performance and Stability: Multiple backend and database query optimizations have been implemented to improve overall application performance, especially during data-intensive operations like software inventory updates and check-ins.

Bug Fixes

  • Corrected an issue where SAML users created via an invitation link were not automatically activated upon their first login.

  • Resolved an issue where users were unable to remove scope restrictions from other users in User Management.

  • Addressed an issue where users with limited scope could sometimes see issues that were no longer relevant to their assigned labels.

  • Corrected a calculation error that could cause the Health Score Impact for some issues to display as -0%.

  • Fixed a bug where the "New vulnerabilities checks" widget on the Known Vulnerabilities dashboard displayed inconsistent historical data.

  • Ensured the Global Overview dashboard no longer displays a health score for organizations that have no active assets.

  • Fixed a UI display issue where the profile information dropdown for system administrators was cropped.

  • Optimized the Windows agent's vulnerability scanner to prevent brief CPU spikes and ensure it operates within our strict performance standards.

Known Limitations & Practical Information

In the spirit of transparency, this section lists known limitations and other practical information we are aware of in this release. Some of these items describe the current behavior of the system, while others are planned to be addressed in a future update. We recommend reviewing this list before filing a support ticket, though we are always happy to assist if you encounter any related problems.

One-Time Spike in Feeds Overview - "New Vulnerability Checks" Chart After Upgrade

  • Description: To fix a bug where historical data for new vulnerability checks (Known Vulnerabilities - Feeds Overview) was inconsistent, we have changed how this data is timestamped. The upgrade to v6.4.0 will backfill a creation date for all existing vulnerability checks.
  • Impact: All historical vulnerability checks that existed prior to the upgrade will be timestamped with the date and time of the v6.4.0 upgrade. This will cause a large, one-time spike on the "New Vulnerabilities Checks" widget on the day of the upgrade.
  • Status: This is a necessary, one-time effect of the data migration. The chart will begin to build accurate historical data from the day of the upgrade forward.

Performance Considerations for Large Environments

  • Description: Some new features in this release, like the Global Dashboard widgets and Inherited Baselines, perform complex calculations across many assets and organizations.
  • Impact: For users managing a very large number of organizations, dashboard widgets may take a few moments to load. Similarly, enabling Inherited Baselines on an organization with many thousands of assets may take a short time to apply fully.
  • Status: We are continuously working on performance optimizations for large-scale deployments.

Thank you for using Nanitor! For more in-depth documentation, check out the Nanitor User Guide or visit our Knowledgebase.