Skip to content

Release notes

Release notes
  • Version: 6.9.0
  • Build number: 14508
  • Release date: 2026-02-16 (general availability)
  • Server version: nanitor-6.9.0.14508-17509-master
  • Agent version: nanitor-6.9.0.14508-17509-master
  • Collector version: nanitor-6.9.0.14508-17509-master

Welcome to Nanitor v6.9.0!

This release brings major enhancements to remediation workflows with AI-Powered Root Cause Analysis and improved Windows patch recommendations. Root Cause Analysis helps you understand why an issue exists, while the new Top Patch Match and Reboot Required columns on the Assets tab show you exactly which KB to deploy and whether a reboot is all that's needed.

We have also improved alert notifications with per-occurrence triggers and device-level filtering, refined data accuracy across CSV and PDF exports, and ensured the Nanitor Agent and Server operate correctly on hardened Linux systems where /tmp is mounted with noexec.

Highlights

AI Root Cause Analysis (RCA)

AI Root Cause Analysis panel in Issue Detail view showing summary, source class, and technical explanation
Understand the "Why" behind every issue with instant, AI-driven analysis.

When a vulnerability or misconfiguration is reported, teams can see what is wrong — but determining why often requires manual investigation across CVE descriptions, installed software, and device forensics. This is further complicated when official vulnerability descriptions do not match the installed software evidence on the device, especially when vulnerable dependency components affect multiple applications. Nanitor v6.9.0 introduces AI Root Cause Analysis, integrated directly into the Issue Detail view, to eliminate this manual research.

  • Automatic Analysis: When you open an Issue Detail page, Nanitor's AI automatically analyzes the issue forensics, asset context, and vulnerability data to produce a clear, plain-language explanation of the root cause. No buttons to click — the analysis begins automatically in the background and is typically ready within 30 seconds. You can navigate away and return later; the result will be waiting for you.

  • Vulnerable Component & Remediation Target: For vulnerabilities, the AI distinguishes between the vulnerable component (the specific technical flaw) and the remediation target (the actual software you need to patch). For example, a CVE may describe a flaw in Python's tarfile module, but if that runtime is bundled inside Oracle Database 21c, the remediation target is Oracle, not a standalone Python update. Similarly, a Windows CVE might target the Print Spooler service rather than "Windows" generically. This distinction eliminates a common source of confusion when triaging vulnerabilities.

  • Source Classification: Each analysis classifies the issue source into one of five categories — Operating System, Application, Middleware, Driver, or Unknown — to help route remediation to the correct team. For example, Windows components like Codecs or Wordpad are correctly classified as "Operating System" (patched via Windows Update), while software like Chrome or Adobe is classified as "Application" (patched via vendor installer).

  • Cached Results: Once an analysis is generated, it is persisted so that subsequent visits to the same issue load instantly without re-running the AI query.

AI Root Cause Analysis for a Windows PowerShell vulnerability showing Operating System classification and Windows Server remediation target
Windows example: RCA identifies the vulnerable PowerShell component and targets the correct Windows Server cumulative update.

Actionable Patch Intelligence

Assets tab on Issue Detail showing Top Patch Match and Reboot Required columns
See the exact patch and reboot status for every Windows asset on the Assets tab.

The "Available Patches" feature has been overhauled to provide definitive, asset-specific remediation guidance for Windows vulnerabilities, powered by Microsoft's MSRC patch database. Previously, patch recommendations could be generic or mismatched — for example, listing Windows 10 patches for a Windows Server 2012 asset. Nanitor now analyzes MSRC data, OS build numbers, and patch supersedence chains to recommend the single most effective KB for each individual asset.

  • Top Patch Match: The Assets tab on the Issue Detail page now includes a "Top Patch Match" column showing exactly which KB article to deploy for each affected Windows asset. Patches are ranked by type (hotpatch, cumulative, security-only, etc.) and the best match is displayed as a link to the KB article. Hovering over the info icon reveals the patch type, whether the patch itself requires a restart, and the target build number. This eliminates the need to manually cross-reference with MSRC.

  • Reboot Required: A new "Reboot Required" column on the same Assets tab shows whether each Windows device is waiting for a reboot to complete a previous update. The agent checks Windows Update, Component-Based Servicing (CBS), and Session Manager registry states. Assets that need a reboot display "Pending", those that do not show "No", and non-Windows devices show "N/A". This helps identify assets that appear vulnerable simply because a reboot has not been completed, preventing wasted investigation time on already-patched systems. Both columns appear automatically when at least one Windows asset in the list has reported its reboot status. If you do not see these columns, ensure that the affected Windows devices have been upgraded to the v6.9.0 agent and have completed at least one check-in.

  • Clear Empty States: When the Available Patches tab is empty, the system now explains why — distinguishing between "System is up to date" (verified against MSRC data), "No patch data available" (unsupported vendor or platform), and "Unsupported platform" (e.g., non-Windows). This eliminates false confidence from ambiguous empty lists.

Improvements

  • Alert Notifications: Per-Occurrence Triggers. Alert notifications now support a new "Alert on every occurrence" option — when enabled, notifications trigger on every occurrence of an issue, not just the first detection. Previously, only the initial detection generated an alert, meaning repeated occurrences (e.g., the same vulnerability appearing on additional devices) went unnotified. The option is off by default, preserving the existing behavior. Additionally, the "Device" issue type has been added as a selectable trigger category, enabling specific filtering on device problems such as "Rogue device detected". This makes it possible to receive an alert each time a new rogue device appears on the network.

  • Health Reports: Configurable Introduction Text. Administrators can now toggle the standard introductory text on or off in PDF Health Reports. This setting is available globally under System Management > Branding and can be overridden per export or per scheduled report rule. This allows partners and internal teams to produce more concise reports without repetitive boilerplate text.

  • Project View: Asset Progress Column. The Project list now features an "Asset Progress" column displaying a completion ratio (e.g., "5/10") — showing how many assets have been resolved versus the total number of affected assets. The column links directly to the Assets tab on the Project detail page. For onboarding projects, it displays the fraction of onboarded assets versus the asset goal.

  • Hardened System Support (TMPDIR). The Nanitor Server, Agent, and Collector now respect the TMPDIR environment variable and default to dedicated private temporary directories (/opt/nanitor-*/var/tmp) with 0700 permissions. This resolves failures on hardened Linux systems where /tmp is mounted with noexec. Nanitor's own temporary files older than 30 days are automatically cleaned up from these directories.

  • Legacy EKS Scanning Removal. Removed the legacy Trivy-based AWS EKS scanning code from the collector. This feature has been fully replaced by the API-driven Kubernetes scanning model introduced in v6.8.0. Customers still using collector-based EKS scanning should migrate to the new approach — see the v6.8.0 release notes for migration guidance.

  • Active Directory User Sync. Fixed multiple issues in the AD user discovery pipeline that could cause user attribute changes to not sync to Nanitor. For example, disabling reversible password encryption for a user in Active Directory would not be reflected in the console even after multiple sync cycles. The fix addresses both agent-side and server-side issues — including a bug where the "last modified" timestamp on AD user records was not being updated, causing the system to miss attribute changes on subsequent sync cycles. Enhanced diagnostics files are now generated during agent diagnostics to help troubleshoot sync issues.

  • Software Vulnerability Inventory. Addressed some issues with the synchronization of software vulnerabilities that could previously cause vulnerabilities that were open as issues on an asset to not actually be listed as vulnerabilities in the relevant software found on the asset, while in other cases vulnerabilities were counted for software even when they were not actually present on the organization's assets. Software vulnerability counts should now be more accurate across the system.

Benchmarks & Feed Updates

Benchmark updates ship separately via the compliance feed and are fetched automatically by the Nanitor server — no manual action required.

For current status and details on benchmark updates, see the Benchmark Changelog.

Bug Fixes

  • Issue List Export: CSV. The CSV export on the Issues page has been rebuilt to match what is shown in the UI, including columns that were previously missing: Health Score Impact, Remediation Value, EPSS Score, Benchmark Group/Section, GHSA ID, hostnames, and IP addresses.

  • Issue List Export: PDF. Fixed an issue where PDF reports exported from the Issues page showed inflated issue counts compared to the UI. The queries were not correctly excluding resolved, excluded, and archived items, causing counts to differ — in some cases significantly — from what the UI displayed.

  • Software Vulnerability Counts. Improved the accuracy of vulnerability counts across the Software inventory — vendor, title, and version pages. Counts could be inconsistent due to how software items were linked and filtered, particularly in multi-organization environments. Vulnerability counts are now consistent across all Software inventory views and correctly reflect only the issues visible to your organization.

  • False Positive: Removed Linux Packages. Fixed a false positive where the Linux agent incorrectly reported packages that had been previously removed (but still had residual config files — rc state) as installed. This could cause false positives for any vulnerability associated with those packages — for example, CVE-2024-12085. The agent now only reports fully installed packages.

  • False Positive: PasswordNeverExpires. Fixed an issue where the Linux Identity check for PasswordNeverExpires was evaluating the wrong password attribute — reading the account expiration date instead of the max password age — causing users with valid password aging policies to be incorrectly flagged.

  • False Negative: Missed Vulnerability Detection. Fixed an issue in the vulnerability assessment engine where certain checks were not being evaluated correctly, preventing detection of specific vulnerabilities — including Mongobleed (CVE-2025-14847) — in affected environments.

  • Asset Management: Restore Archived Devices. The "Restore asset" action is now correctly available for manually archived (decommissioned) devices. Previously, the action was hidden even for users with the correct permissions, making it impossible to undo an accidental archive without administrator intervention. The option is only unavailable when an asset has been transferred to a different organization.

  • Software Inventory: Duplicate Entries. Fixed an issue where the same software item could appear twice in the Software inventory. Each software entry now appears once, regardless of how it was detected.

  • Benchmarks: Exchange Server SE. Fixed an issue where the Windows agent could fail to return benchmark results when processing Exchange Server SE assignments. The agent now handles cases where optional benchmark metadata is not present.

  • Custom Widgets: Affected Assets Count. Fixed incorrect "Affected Assets" counts in custom issue tracker widgets. The widget query was not applying device-level filters (such as label scope), resulting in inflated counts.

  • Project Completion: Performance. Fixed an issue where project completion metrics could be recalculated unnecessarily, slowing down background processing.

Agent Updates

The following agent changes are included in this release:

Linux Agent

  • The Identity check for PasswordNeverExpires now correctly evaluates the max password age instead of the account expiration date. Diagnostics output now includes the max password age value for easy verification.
  • Vulnerability detection now correctly excludes packages in rc (removed, config-files remaining) dpkg state. Only packages that are fully installed are reported, eliminating false positives from previously removed packages.
  • The agent, server, and collector now use dedicated private temporary directories under /opt/nanitor-*/var/tmp instead of the system /tmp. This enables operation on hardened systems where /tmp is mounted with noexec. Nanitor's own temporary files older than 30 days are automatically cleaned up from these directories.

Windows Agent

  • The agent now detects and reports reboot-pending status by checking Windows Update, Component-Based Servicing (CBS), and Session Manager registry states. This powers the "Reboot Required" column on the Assets tab of the Issue Detail page.
  • Improved stability for benchmark processing — the agent now handles Exchange Server SE benchmark assignments where optional metadata is not present.
  • Active Directory user discovery has been improved with more reliable state tracking across sync cycles. Changes to user attributes (such as disabling reversible encryption) are now consistently detected and synced. Enhanced diagnostics output is available for troubleshooting sync issues.

Collector

  • The legacy Trivy-based EKS vulnerability scanning code has been removed. This feature has been fully replaced by the API-driven Kubernetes scanning model introduced in v6.8.0. Customers still using the old collector-based approach should migrate — see the v6.8.0 release notes for guidance.

Thank you for using Nanitor! For more in-depth documentation, visit the Nanitor User Guide or our Knowledgebase.