14 Nov 2025

Acunetix Premium - v25.11​

Improvements​

• Added support for tracking session tokens in URL Parameters in DAST scans
• Updated LSR to use configured custom cookies
• Added support for Custom Namespaces in WSDL specifications
• Improved support for web applications that return 429 responses during the DAST scan
• Improved processing of Path Fragments discovered by Deepscan
• Improved handling of sitemaps
• Upgraded Python to v3.13.6
• Upgraded to PostgreSQL 17.6 for Acunetix on-premises

Resolved issues​

• Fixed false positives from "PII without authentication" scripts
• API documentation is now properly reachable in the most recent on-premise version

Update

Improvement​

• Improved accuracy in identifying ELMAH error log endpoints for ASP.NET

Fix​

• Resolved an issue where attaching the same target with a different port returned “Host already attached”

Update

v25.5.2-09 Jul 2025​

Security checks​

• Added a new security check for Weak ViewState Key
• Added a new check to detect PAN-OS XSS (CVE-2025-0133)
• Added a new check to detect Citrix NetScaler Memory Disclosure (CitrixBleed 2) (CVE-2025-5777)
• Upgraded Vulnerability Database (VDB) version to 20250708

Improvements​

• Updated Open Redirect to increase coverage

Update
22 Apr 2025

New security checks​

• Added a check for CrushFTP Authentication Bypass (CVE-2025-31161)
• Added a check for Ingress-Nginx "IngressNightmare" RCE (CVE-2025-1974)
• Added a check for Vite Arbitrary File Read (CVE-2025-30208, CVE-2025-31125)
• Added a check for Kentico Staging API Auth Bypass

Improvements​

• Updated Node to version 20
• Updated OpenSSL to version 3.4.1
• Added an option to expose OpenSSL functions to sign or validate JWT tokens
• Added an option to disable the DAST scanner from exposing secrets
• Engine now uses Chromium 135.0.7049.41/52 for scanning

Update
v25.1.2 - 17 Feb 2025
Improvements
Moved a number of SQL Server Vulnerabilities to Technologies

New Features​

• API Discovery now supports retrieving OpenAPI/Swagger specs from Azure API Management → Learn more
• Added support for automated use of OTP in scans, enabling seamless scanning of 2FA-enabled web applications → Learn more
• API Discovery now supports working with RAML specs from Mulesoft Anypoint Exchange

Improvements​

• Added the latest checks for outdated technology versions
• Optimised various Directory tests to make less HTTP requests
• DeepScan update which improves scan coverage and consistency
• Minor UI improvements across the app
• Removed redundant configuration option in API Discovery integration with Amazon API Gateway

Fixes​

• Fixed a single occurrence edge case when a scan was crashing
• Fixed incorrectly reporting Application Build in RuntimeSCA reports

API Changes​

• Corrected the baseURL for EU customers in our API documentation

Acunetix Premium - v24.8​

NEW FEATURES​

• Added support for Apache Tomcat 11 in JAVA IAST sensor
• RAML API specs can now be uploaded to extend the coverage of API scanning → Learn more
• Implemented support for scanning HTTP/2 websites
• Runtime SCA findings are now available on the Scan Details page (Acunetix Online only, On-Premises coming soon)
• A new scan report for SCA is now available → Learn more

NEW SECURITY CHECKS​

• Next.js image Blind SSRF
• SolarWinds Web Help Desk RCE (CVE-2024-28986)
• Apache HTTP Server Confusion Attacks (CVE-2024-38472, CVE-2024-39573, CVE-2024-38477, CVE-2024-38476, CVE-2024-38475, CVE-2024-38474, CVE-2024-38473, CVE-2023-38709)
• Jelly Template Injection Vulnerability in ServiceNow UI Macros (CVE-2024-4879, CVE-2024-5217)
• SuiteCRM SQL Injection (CVE-2024-36412)
• Odoo XSS (CVE-2023-1434)
• Mura/Masa CMS JSON API RCE
• Lucee CF_CLIENT_ RCE
• Lucee Stacktrace Information Disclosure
• Lucee Unset Admin Password
• Updated WordPress plugins vulnerabilities database
• GeoServer RCE (CVE-2024-36401)

IMPROVEMENTS​

• Minor cosmetic UI/UX issues have been addressed across the app
• Updated list of exposed web installers reported
• The Scan Details screen for reviewing scan results has been modernized and upgraded
• Improved testing of path fragments
• The agent status now shows 'Unknown' instead of 'Error' when the agent hasn't shared its status for some time
• API Discovery: Added the ability to start scans directly from the list of discovered and linked APIs
• API Discovery: Added functionality to change the base URL of an already linked API
• Updated scanner to handle security definitions within Swagger

FIXES​

• Updated the scanner to use default scan speed settings when scan speed settings are missing
• Fixed a false positive in the detection of Possible Virtual Host Found
• Fixed a false positive in the detection of CVE-2024-6387

Update

Update

Update (Windows + Linux)