Skip to content

Release notes

Release notes
  • Version: 6.7.0
  • Build number: 14310
  • Release date: 2025-12-11 (general availability)
  • Server version: nanitor-6.7.0.14310-17412-master
  • Agent version: nanitor-6.7.0.14310-17412-master
  • Collector version: nanitor-6.7.0.14310-17412-master

Welcome to Nanitor v6.7.0! 🚀

This release delivers highly requested flexibility and precision to your daily operations. We have introduced Advanced Labeling Rules with "OR" logic to simplify asset organization, redesigned Patch Insights to match official Microsoft advisories, and refined our Linux vulnerability detection to eliminate false positives from system packages.

Additionally, our AI Remediation capabilities have been upgraded with context-aware profiles and automated link verification, ensuring the advice you receive is tailored to your specific environment and tools.

Highlights

AI Remediation Insights: Context & Verification

AI Remediation Insights showing profile selector dropdown with macOS/Jamf, Linux/Ansible, and Windows/Intune options
Select from saved profiles to get remediation steps tailored to your environment and tools.

We have enhanced the AI Remediation engine to provide safer, more relevant guidance.

  • Context Profiles: You can now save reusable profiles describing your environment, tools, and constraints (e.g., "RHEL 8/9 servers managed via Ansible Tower. SELinux enforcing, no direct root access - use sudo."). The AI will incorporate this context into its instructions, ensuring the remediation steps fit your actual workflows rather than providing generic advice.
  • Verified Links: All URLs generated by the AI are now automatically validated against a live check before being presented to you. This ensures you don't waste time clicking on broken or hallucinated links.
  • Upgraded AI Model: We have upgraded to GPT-5.1, which delivers faster response times and improved output quality. If you have feedback on the AI-generated remediation advice, please let us know—your input helps us continue to refine the results.

Windows Patch Insights

Available Patches tab grouping updates by specific OS version
Patches are now grouped by specific OS build with clear "Top Match" recommendations.

We have redesigned the Available Patches view to mirror MSRC advisories, giving you a trustworthy source of truth for Windows updates.

  • Precision Grouping: Patches are now intelligently grouped by the specific OS build (e.g., Windows 11 24H2 vs. 23H2), ensuring you only see updates relevant to your exact version.
  • Smart Prioritization: The system identifies a "Top Match" based on supersedence and patch type, helping you distinguish between critical security hotpatches and standard cumulative updates.

Python Accuracy Refinement

We have significantly improved our detection logic for Python packages on Linux to eliminate false positives and duplicate entries.

The Nanitor Agent now checks package metadata to correctly distinguish between: 1. System-managed packages (installed via apt, yum, rpm, etc.), which are patched by your OS vendor and tracked via OVAL feeds. 2. User-installed packages (installed via pip), which are tracked via the PyPI/GHSA feeds.

This distinction ensures that a system package with a backported fix is no longer flagged as vulnerable simply because its version number looks lower than the upstream PyPI version.

Advanced Labeling Logic: "OR" Conditions

Label rule builder showing multiple values in a single condition group
Easily group values within a single rule (e.g., Department is Sales OR Finance).

We have removed the strict "AND" limitation on device labeling rules, addressing a long-standing request from many customers.

  • OR Logic Support: You can now add multiple values to a single condition type within a rule. For example, you can create a single rule for: Department is “Sales” OR “Marketing”.
  • Checkbox Support: Labeling rules now support Checkbox custom fields, allowing you to trigger labels based on whether a specific box is Checked or Unchecked.
  • Simplified Management: This allows you to consolidate complex logic into fewer, easier-to-manage rules.

Benchmarks & Feed Updates

Benchmark updates ship separately via the compliance feed, typically within a few days of the product release. Once available, the Nanitor server fetches them automatically - no manual action required.

Windows Server 2022 Benchmark v4.0.0

Updated the CIS Microsoft Windows Server 2022 Benchmark to version 4.0.0. This update aligns Nanitor with the latest CIS recommendations for Windows Server 2022 environments.

Windows Server 2025 Benchmark Fixes

Fixed several rules in the CIS Microsoft Windows Server 2025 Benchmark that were not evaluating correctly:

  • 2.2.27 "Deny log on through Remote Desktop Services" now correctly validates GPO settings.
  • 2.2.25 "Deny log on locally" properly recognizes configured policies.
  • 2.2.22 "Deny access to this computer from the network" accurately evaluates group membership.
  • 1.1.2 "Maximum password age" correctly handles configured values.

Windows 11 Intune Benchmark Fix

Resolved a false positive in the Windows 11 Intune Managed benchmark where the rule "Ensure 'Password Age Days' is set to 'Configured: 30 or fewer'" was not recognizing the default value as compliant.

Windows 11 Enterprise Benchmark v4.0.0 (Expected)

An update to the CIS Microsoft Windows 11 Enterprise Benchmark to version 4.0.0 is expected to ship via the feed shortly after this release. This update aligns Nanitor with the latest CIS recommendations and includes revised rule prioritization. Agents will pick up the new revision automatically once available.

Bug Fixes

  • Security: Cross-Organization Data Isolation. Fixed a high-severity issue where filtering assets on an issue detail view could inadvertently display assets from unrelated organizations in multi-tenant environments.

  • Windows Server 2025 Asset Counts. Fixed an issue where Windows Server 2025 devices were correctly labeled but not reflected in the total asset counts on the Settings page.

  • Device Issue Counts. Corrected logic where devices from other organizations were sometimes included in issue counts if they shared the same Issue ID.

  • Configuration Trend Graphs. Fixed an issue where archived assets were still counting towards totals in configuration trend graphs, preventing them from reaching zero.

  • Label Filtering. Fixed a bug where applying filters while "Include child labels" was enabled would return incorrect results.

  • SCAP Missing Objects. Fixed a bug where empty SCAP payloads could be processed, leading to "Missing objects" errors in forensics and zero scores.

  • Benchmark Project Assignment. Fixed a UI bug that prevented assigning a benchmark issue to a Project directly from the benchmark page.

  • False Positive: Debian ptrace_scope. Fixed a false positive in the CIS Debian 12 benchmark where the rule "Ensure ptrace_scope is restricted" only accepted level 1, but level 2 (more restrictive) is also valid.

  • Windows Version Detection. Addressed an issue where the scanner could fail to read version information from certain Windows executables, causing false positive vulnerability alerts.

  • Global Overview Widget. Fixed a 500 error that occurred when loading a custom widget on the Global Overview page if the filter returned no results.

  • User Notification Relevance. The notification center now correctly filters out messages related to archived organizations or deleted topics.

  • Public API Stability. Fixed 500 errors in the Public API related to missing grouping fields in severity calculations.

  • API Documentation (Swagger). Fixed an issue where the API documentation viewer failed to load due to a broken external CDN reference.

Known Limitations & Practical Information

Benchmark Updates May Affect Compliance Scores

  • Description: Major benchmark updates in this release include revised CIS recommendations and updated Nanitor severity ratings and baseline priorities. We regularly review these to better reflect real-world security impact.
  • Impact: Some organizations may see reduced compliance scores following these updates. This does not reflect a change in your environment—your systems remain the same. Rather, the bar for compliance has been raised.
  • Recommended actions:
    • Address new findings promptly: Review and remediate newly surfaced issues to align with the updated guidance.
    • Adjust your baseline: Temporarily remove affected rules from your baseline while you plan a systematic remediation approach.
  • Status: If you have questions or need assistance managing the transition, please contact Nanitor Support.

Thank you for using Nanitor! For more in-depth documentation, visit the Nanitor User Guide or our Knowledgebase.