Cortex Xpanse Release Notes

Cortex® Xpanse™ Release Notes
docs.paloaltonetworks.com
Contact Informaon
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support
About the Documentaon

• For the most recent version of this guide or for access to related documentaon, visit the Technical
Documentaon portal docs.paloaltonetworks.com.
• To search for a specific topic, go to our search page docs.paloaltonetworks.com/search.html.
• Have feedback or quesons for us? Leave a comment on any page in the portal, or write to us at
documentaon@paloaltonetworks.com.
Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2021-2022 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks menoned herein may be trademarks of their respecve companies.
Last Revised
October 31, 2022
Cortex® Xpanse™ Release Notes 2 ©2022 Palo Alto Networks, Inc.

Table of Contents
Expander Release Informaon........................................................................ 5
Features Introduced in 2022.................................................................................................... 6
Features Released in September 2022....................................................................... 6
Features Released in August 2022.............................................................................. 6
Features Released in July 2022.................................................................................... 7
Features Released in May 2022................................................................................... 8
Features Released in April 2022.................................................................................. 8
Features Released in March 2022............................................................................. 10
Features Released in February 2022........................................................................ 12
Features Released in January 2022...........................................................................14
Features Introduced in 2021.................................................................................................. 16
Features Released in December 2021......................................................................16
Features Released in November 2021..................................................................... 17
Features Released in October 2021......................................................................... 19
Features Released in September 2021.....................................................................19
Features Released in August 2021............................................................................21
Features Released in July 2021..................................................................................22
Features Released in June 2021................................................................................ 23
Features Released in May 2021.................................................................................24
Features Releases in April 2021.................................................................................26
Features Released in March 2021............................................................................. 27
Features Released in February 2021........................................................................ 29
Features Released in January 2021...........................................................................32
Assess Release Informaon...........................................................................35

Features Released in September 2022................................................................................ 36
Features Released in August 2022....................................................................................... 37
Features Released in July 2022............................................................................................. 38
Features Released in April 2022............................................................................................39
Features Released in March 2022.........................................................................................40
New Issue Policies........................................................................................... 43

New Policies in October 2022...............................................................................................44
New Policies in September 2022..........................................................................................45
New Policies in August 2022.................................................................................................46
New Policies in July 2022.......................................................................................................48
New Policies in June 2022..................................................................................................... 49
New Policies in May 2022......................................................................................................50
New Policies in April 2022..................................................................................................... 51

Table of Contents
New Policies in March 2022.................................................................................................. 52

New Policies in February 2022..............................................................................................54
New Policies in January 2022................................................................................................55

Expander Release Informaon
Cortex® Xpanse™ is a cloud-based subscripon, which provides a complete
and accurate inventory of an organizaon’s global internet-facing assets and
misconfiguraons to connuously discover, evaluate, and migate an external aack
surface without the need for any installaon/agents.
The following topics describe the new features and enhancements introduced in
Cortex® Xpanse™ Expander by month and year.
> Features Introduced in 2022

> Features Introduced in 2021
For addional informaon on how to use new features, refer to the Cortex Xpanse
Expander User Guide.
5
Features Introduced in 2022

The following topics describe the Cortex® Xpanse™ Expander features introduced in 2022.
• Features Released in September 2022
• Features Released in August 2022
• Features Released in July 2022
• Features Released in May 2022
• Features Released in April 2022
• Features Released in March 2022
• Features Released in February 2022
• Features Released in January 2022
Features Released in September 2022

The following table describes the Cortex® Xpanse™ Expander features and enhancements
released in September 2022.
For the list of new issue polices, see New Issue Policies.
Feature Descripon
Issue Discovery Path Issue Discovery Path is a new piece of

informaon that appears on issue details pages
in Expander. Issue Discovery Path explains how
an issue was discovered and how it relates to
other enes such as your assets and services.
Features Released in August 2022

released in August 2022.
For the list of new issue polices, see New Issue Policies. For the Cortex Xpanse Assess Release
Notes, see Assess Release Informaon.
Responsive IP asset type added to Asset Responsive IPs have been added as an asset
Inventory type in the Asset Inventory. Responsive IPs are
dynamically created when Xpanse detects a
responsive service running on an IP address
associated with one of your organizaon's IP
Ranges. Responsive IPs are linked to these IP
Ranges and inherit details from their associated
range, such as registraon details and any
assigned tags. Responsive IPs become inacve

30 days aer all related services become
inacve.
Features Released in July 2022

released in July 2022.
Asset Inventory View The new Asset Inventory view displays a

comprehensive list of your assets along with
key data about each asset, enabling you to
search, sort, and filter your enre asset list
from one interface. The Inventory can be found
on the Assets tab in Cortex Xpanse Assess.
The asset type list view pages (IP Ranges,
Cerficates, Domains, etc.) are sll available
and can now be sorted and filtered on the
issues and services associated with an asset.
For more informaon, see Assets in the Cortex
Xpanse Expander User Guide.
Assets v3 API The new Assets v3 API supports all asset

types currently in Xpanse (IP Ranges, Domains,
Cerficates, Cloud Resources, Networks, and
Devices) and will be extended to support
any new types of assets added in the future.
The Assets v3 API exposes all asset types
through a common interface with a generic
model, reducing fricon for developing against
mulple asset types. Assets v3 endpoints can
be idenfied by the path prefix “api/v3/assets”.
The Assets v2 API is not affected. For more
informaon see Expander APIs.
Remediaon Guidance The Remediaon Guidance feature

provides a set of high-level, aconable
steps recommended by Cortex Xpanse for
remediang an issue. Remediaon Guidance
includes insights around the risk of exposing
the service or applicaon, whether that risk is
acceptable or not, what steps should be taken
to take the service off the internet or what to
do when that acon is not possible, and, when

available, links to Palo Alto Networks Unit 42
research on that issue.
Remediaon guidance can be found in the How
to Remediate secon of the issue details page
in Expander.
Note that not all issues have remediaon
guidance yet. Cortex Xpanse will connue to
add remediaon guidance for more issues in
future releases.
Features Released in May 2022

The table below describes the Cortex® Xpanse™ Expander features and enhancements
introduced in May 2022.
Notes, see Assess Release Informaon
Improved heuriscs for discovering services We improved the logic for loading issues
and assets produced by integraons and services on assets collected through
our integraons to reduce instances of false
posives.
Expander ITSM v3.0 for SNOW The Expander integraon for ServiceNow
enables you to create Incidents based on issue
updates in Expander, so you can quickly track,
assign, and remediate risky assets or services
that are exposed to the public Internet.
This integeraon provides the ability to modify
Incident severity based on issue update type
or cricality and the ability to customize which
issue update types create Incidents within
ServiceNow.
What’s new in this release?
• Support for the latest version of SNOW
Plaorm - San Diego, Rome, Quebec
• Client Credenal support
Features Released in April 2022

The following table describes the new features in Cortex® Xpanse™ April 2022 releases.

Aack Surface Management for Remote • The Map widget on the Remote Aack
Workers Enhancements Surface dashboard now supports
clickthrough acons to navigate to the
Aack Surface Networks or Devices pages.
• The ASM for Remote Workers integraon
now supports Prisma Access and
GlobalProtect as data sources for collecng
informaon on remote workers.
Inferred CVEs The Inferred CVE Enhancement funconality

is now available for all users. This allows users
to see any potenally applicable inferred CVEs
in the Services Details View, or to search the
product by CVE-ID (CVE-YYYY-XXXXX) to find
any potenally affected assets. Note that this
funconality does not confirm the presence or
absence of a CVE. For more informaon about
the Inferred CVE enhancement, see Inferred
CVEs.
Other Enhancements The number of recent IPs returned with the

cerficates list API was increased to 10,000
from 100.
New Issue Policies • Insecure Apache Web Server Update—

This policy now detects CVE-2022-22719,
CVE-2022-22720, CVE-2022-22721, and
CVE-2022-23943.
• Django Admin Page
• Kaspersky Security Center
• SSL/TLS RSA_EXPORT Ciphers Vulnerable
to FREAK
• SSL/TLS CBC Ciphers Enabled
• Unraid Network Aached Storage
• Jamf Pro
• VMware Spring Framework
• Advantech HMI
• MiniOrange SSO
• ThinkPHP
• Microso RDP Web Client

Features Released in March 2022

The following table describes the new features in Cortex® Xpanse™ March 2022 releases.
Aack Surface Management for Remote The Aack Surface Management for Remote
Workers Workers feature has been expanded to support
GlobalProtect™ as a data source. This API
integraon between Cortex Xpanse and
GlobalProtect enables you to idenfy and alert
on security issues on remote worker systems
and network environments. See Remote Aack
Surface Overview for more informaon.
Home Page Dashboard PDF Report The Cortex Xpanse Home Page Dashboard can
now be exported as a PDF report. Any sengs
or filters that are set on the home page will be
represented in the PDF.
Remote Aack Surface Workforce Devices The Remote Aack Surface Workforce Devices
search improvement content search was updated to allow searching
using internal IP addresses.
Service Details page improvements • A map view has been added to the service
details page.
• Associated Network informaon has been
updated to include findings related to the
Cortex XDR integraon.
Asset Search Improvements New search facets were added to all of the
asset list views in Expander to guide users in
their searches for asset informaon. The search
field will dynamically update and suggest which
field should be filtered on based on the value.
Update to definion of Acve status Due to some inconsistencies in the way that
dashboards have been reporng, we have
updated the definion of an Acve asset
to mean "has a service". This change will be
reflected across dashboards that filter on
Status.
New Issue Policies • Okta SSO

• APC Smart-UPS
• Insecure SolarWinds Orion Plaorm policy
has been updated to mark versions 2020.2.6
or earlier as vulnerable

• Microso OWA policy has been updated to
idenfy numbers
• Puppet Infrastructure
• MongoDB Mongo-Express
• Services Hosted in Adversary Country policy
updated to include On Prem assets only
• HashiCorp Vault
• OpenVMS Operang System
• Gitea
• IBM Planning Analycs
• Apache Shiro
• ForgeRock Access Management (AM) Server
• Github Enterprise
• Argo CD
• SAP NetWeaver Applicaon Server—This
policy was updated to enable version
numbers to be extracted under certain
circumstances.
• Zoho ManageEngine ADManager
• Insecure Cisco Small Business RV Series
Router—This policy was updated to detect
CVE-2019-1653.
• NetGear ProSafe—NetGear ProSafe under
Soware idenfied in BOD 22-01
• Sophos XG Series Firewall—This policy
idenfies a Sophos XG Series firewall, model
number is idenfied where available.
• Sophos XGS Series Firewall—This policy
idenfies a Sophos XGS Series firewall,
model and serial number are idenfied
where available.
• Sophos SG Series Firewall—This policy
idenfies a Sophos SG Series firewall, model
and serial number are idenfied where
available.
• Zoho ManageEngine Desktop Central MSP
—This policy idenfies the presence of
Desktop Central MSP on a host; the web UI
may also be surfaced.
• Zoho ManageEngine Desktop Central

• Adobe Commerce—This policy idenfies
indicators for both Magento Open Source
and Adobe Commerce. Version numbers are
not idenfied.
• Zabbix IT Monitoring Soware
Features Released in February 2022

The following table describes the new features in Cortex® Xpanse™ February 2022 releases.
Aack Surface Management for Remote • A map view has been added to the
Workers Enhancements Workforce Network and Workforce Device
detail pages
• The Remote Aack Surface dashboard was
updated to include Network accounts for
acve networks only
• The Remote Aack Surface Workforce
Networks list page now allows filtering
based on status
• An acvity status bar was added to the
Workforce Networks and Workforce
Devices details pages to indicate whether
the asset is acve, how many days it has
been acve, and the date range
• Provider informaon has been added
to Workforce Networks and Workforce
Devices list views and details pages
New Issue Policies • Long Validity Cerficate policy was updated

• Insecure Microso Exchange Server Policy
Update—This policy now idenfies insecure
versions of Microso Exchange 2019 prior
to Cumulave Update (CU) 10, Exchange
2016 prior to CU21, and Exchange 2013
prior to CU23. This policy also idenfies
all End-of-Life (EOL) versions of Microso
Exchange
• Insecure PHP
• Spiceworks
• Roundcube Webmail
• Cisco Firepower Device policy added to
update Cisco Firepower detecon

• Symantec Messaging Gateway
• VMware Workspace ONE UEM
• ISC BIND 9
• Insecure ISC BIND 9—idenfies BIND 9
servers vulnerable to CVE-2021-25219
• Atlassian Bitbucket
• Microso Azure CycleCloud
• IBM MQ
• AppGate SDP
• Wordpress Server policy updated to add the
version extractor
• Hikvision Device
• Insecure Atlassian Confluence Servers policy
updated to idenfy versions before 7.4.10
and from 7.5.0 to 7.12.5
• Insecure OpenSSH
• Insecure Node.js policy updated to idenfy
versions 12.0.0-12.22.4, 14.0.0-14.17.4,
and 16.0.0-16.6.1
Integraon Updates Xpanse TA for Splunk v.4.0.1

In addion to what's new in version 4.0.0, the
4.0.1 release includes a minor fix related to the
inputs for the Xpanse TA.
What's new in release 4.0.0:
• Client Credenal support
• Ability to run mulple inputs within a single
Xpanse Splunk TA (available in v3.3.0)
• Deprecaon of behavior data
• Upgrade to JQuery 3.5
• Upgrade to latest Splunk SDK
• Xpanse branding updates
For more informaon, see the Cortex Xpanse
and Splunk TA integraon page on the Palo
Alto Networks Technology Partners website.
Addional Updates • Xpanse login page has been updated.

• Cloud Resource account names are now
included on asset details pages.

• The Service details page was updated to
include detected issues associated with the
service.
Features Released in January 2022

The following table describes new features in the Cortex® Xpanse™ January 2022 releases.
Increase resoluon of scan mestamps to the This update enables Xpanse to provide more
nearest minute precise detail about the latest me an Issue
was scanned.
Updates to CMMC Compliance Assessment CMMC compliance mappings have been

mappings updated, including adding CMMC L1-L3 as an
oponal framework in addion to CMMC L1-
L5 on the Compliance Assessments Dashboard.
Support for searching on policy descripon On the Policies page, support has been added
for searching on policy descripon field.
ASM for Remote Workers enhancements • A toggle was added to the map view in the
Remote Aack Surface dashboard to allow
for viewing Networks and Devices.
• In the Peer Remote Devices table, each row
now clicks through to the Device details
page and each IP address clicks through to
the IP address details page.
• The Workforce Device table columns have
been updated. The Business Unit, Internal
IP, and OS are being removed and new
columns for source and network Locaon
have been added.
• A trend count and indicator was added to
the Total Workforce Networks dashboard
widget.
New issue policies • Cisco Unified IP Phones

• VMWare Horizon
• Insecure Apache policy updated to include
all versions below 2.4.52
• Palo Alto Networks Bridgecrew
• Citrix XenDesktop
• Citrix ShareFile Server

• Cisco IOS
• Apache Hadoop Yarn Resource Manager
• GitBucket
• Schneider Electric EcoStruxure IT Gateway
• Microso Dynamics NAV
• VMWare RabbitMQ Management Plugin
• Cisco Email Security Appliance (ESA)
• MikroTik Router—idenfies MikroTik
Routers and administraon portals
(RouterOS).
• Insecure MikroTik Router—idenfies
insecure versions of MikroTik RouterOS
through 6.42.
• H2 Database Console
• OctoberCMS—an open-source Content
Management System

Features Introduced in 2021

The following topics describe the Cortex® Xpanse™ features introduced in 2021 by month.
• Features Released in December 2021
• Features Released in November 2021
• Features Released in October 2021
• Features Released in September 2021
• Features Released in August 2021
• Features Released in July 2021
• Features Released in June 2021
• Features Released in May 2021
• Features Releases in April 2021
• Features Released in March 2021
• Features Released in February 2021
• Features Released in January 2021
Features Released in December 2021

The following table describes the new features in Cortex® Xpanse™ December 2021 releases.
New login page design Cortex® Xpanse™ has updated the design of
the Expander login page.
Self-Service Client Credenals Cortex® Xpanse™ Expander now supports

generang and revoking Client Credenals
directly through the UI. See Generate Client
Credenals for more informaon.
Expander API documentaon has moved Expander API documentaon can now be
to the Palo Alto Networks Developer Docs found at hps://cortex.pan.dev/. Our old API
website documentaon links have been updated to
redirect to this new locaon.
Toggle between On Prem and Cloud on the You can now toggle between On Prem and
Home Page map widget Cloud issues on the Home Page map widget.
Support for Microso Edge browser Microso Edge is now a fully supported
browser for Cortex Xpanse Expander.
New issue policies • Citrix SD-WAN

• Citrix Hypervisor

• Insecure TLS - Strict
• Insecure TLS policy was updated
• OGW Non-Compliant Issue policy was
updated
• Zoho ManageEngine ServiceDesk Plus MSP
• Java Applicaon
• VMWare Workspace ONE Access Server
• VMware vCenter and VMware vSphere
policy updates
• VMware vRealize Suite Lifecycle Manager
• Nes Router
• Prisma Cloud
• Citrix XenServer
• Fornet ForOS
• MobileIron Sentry
• Zoho ManageEngine AssetExplorer
• Updates to the Zoho ServiceDesk Plus
Policy
New issue policies to idenfy specific • Log4Shell-Vulnerable VMware Workspace

versions of soware known to be vulnerable ONE Access Server
to log4j CVEs
• Log4Shell-Vulnerable IBM WebSphere
Applicaon Server
These policies detect specific
versions of each piece of • Log4Shell-Vulnerable Apache Solr
soware that are known to be • Log4Shell-Vulnerable SonicWall Email
vulnerable, but will not be able Security
to comprehensively detect ALL
vulnerable instances.
Features Released in November 2021

The following table describes the new features in Cortex® Xpanse™ November 2021 releases.
Aack Surface Management for Remote The ASM for Remote Workers module is an API
Workers integraon between Cortex® Xpanse™ and
Cortex XDR that combines an organizaon's
endpoint details collected by Cortex XDR
with public asset informaon discovered
by Xpanse. For informaon about ASM for

Remote Workers, including the new Remote
Aack Surface dashboard in Expander, see the
Remote Aack Surface Overview secon in the
Cortex Xpanse User Guide.
New Expander Home Page The new Expander Home Page dashboard
focuses on a number of crical use cases that
make it faster to navigate to the most valuable
sets of data. For more informaon about
the Home Page dashboard and widgets, see
Expander Home Page.
Drill through Home Page Map widget to You can now drill through the Expander Home
Issues Page map widget to filter issues by the country
they are observed in.
Mean Time to Remediate (MTTR) Widget Fixed minor bugs with MTTR calculaon,
Updates added a table to display the number of inacve
issues by priority, and added an explanaon
about how we calculate MTTR. For details
about the (MTTR) widget on the Home Page
dashboard, see the secon in Expander Home
Page Dashboard.
User alert if no permission to edit Home Page If you do not have permission to edit the
Dashboard Preferences Home Page Dashboard Preferences, the
Dashboard Preferences page will display a
banner indicang that you don’t have edit
permission and the funconality on the
page will be disabled. See Expander Home
Page Filters and Dashboard Preferences for
more informaon about seng Dashboard
Preferences for the Home Page.
New Compliance Dashboard widget This new widget on the Compliance Dashboard
groups violaons by asset in order to enable
users to priorize a given asset and remediate
everything associated with it. Users can also
drill through this widget back to the Issues
module filtered by the asset that accounts for
the most violaons.
Policies CSV Export You can now export the list of Policies to a CSV
file to review them.
New Issue Policies • ForgeRock OpenAM

• Microso Dynamics 365 Business Central
• Aruba Virtual Controller

• Cisco Identy Services Engine (ISE)
• Updates to the versions categorized under
the Insecure Drupal Webserver policy
• Draytek Vigor Router
• Suspected honeypots are now excluded
from triggering other Issues
• Palo Alto Networks GlobalProtect Portal
• Zoho ManageEngine ServiceDesk Plus
Addional Updates • Added the ability to filter by Provider on the

Compliance Assessments dashboard
• Updated links to the product documentaon
on the Compliance Assessments Dashboard
• Home Page policy widget renamed New
Trending Policy Available
Features Released in October 2021

The following table describes new features in Cortex® Xpanse™ October 2021 releases.
Behavior data can now be downloaded as a You can now download Behavior alerts as
CSV file a CSV file directly from the Behavior tab in
Expander.
Issues Categorizaon Cortex® Xpanse™ Issues have been assigned

to general categories such as "Remote Access"
and "Databases" for easier filtering based on
the general type of issue exposure. These
categories appear in the Issues List page and
also include the counts for each issue type and
overall category.

The following table describes new features in the Cortex® Xpanse™ September 2021 release.
New Issue Policies • Citrix XenMobile Server

• Potenal Honeypot
• Windows 2000, Windows 2003

• Golang Go
• Update to Insecure Microso Exchange
Server policy in response to recent CVEs
Updated CSV Export All CSV exports have been updated to include
significantly more fields from the Xpanse
API, beer handle very large exports, and
deliver exports via email if they are too large
to complete in the browser. See CSV Exportfor
more informaon.
NIST 800-171 and CMMC L1-L5 Compliance Mapping and documentaon for NIST 800-171
Frameworks and CMMC L1-L5 compliance frameworkshave
been updated and are generally available.
Users can choose to automacally turn on all Under the sengs page, users who have the
new policies ability to enable and disable policies for their
organizaon can now automacally opt-in to
all newly published policies.
Addional Updates • ServiceNow SIR integraon is now

supported. Security Incident Response (SIR)
is part of the ServiceNow SecOps module
and allows for automaon in handling
security specific incidents. This integraon
sends Xpanse Issues data to SIR to create
issues and provides some bi-direconal and
fine-tuning configuraon capabilies.
• Xpanse Python SDK 1.0.0 has been released
on Github and Pypi.
• The Issues Detail page was updated so that
formats it correctly for prinng. Use your
browser’s Print-to-PDF funconality to print
Issue Details pages.
• CMMC Compliance Assessment dashboard
has been updated with recently released
Expander issue policies.
• NIST 800-171 Compliance Assessment
dashboard has been updated with recently
released Expander policies
• NIST 800-53 mapping for the Compliance
Assessment dashboard has been updated.
• Cloud Account IDs, pulled via the Prisma
Cloud Integraon, are now available as a

filter for issues and are included in the Issue
details for reference.

The following table describes new features in the Cortex® Xpanse™ August 2021 release.
New Issue Policies • Cisco Small Business Series Wireless Access

Points
• Android Team Awareness Kit (ATAK)
• Skype for Business Server
• Citrix Workspace
• Liferay Portal
• Expiring domain
• Avi Vantage Soware Load Balancer
• Radware Alteon Applicaon Delivery
Controller
• Truen Camera
• Kong Gateway
• Nagios Fusion
• Aruba AirWave
• Cisco Jabber
• Citrix Cloud Connector
• Gitlab
Links to IP address and IP range details All links to the IP address and IP range details
pages more visible pages within Expander now show a navigaon
arrow next to them to make them more
prominent.
Behavior risk rules with the term “Blacklist” Behavior Risk Rules using the term
are renamed “Blacklisted” have been renamed to use “Block
Listed”.
Service classificaon counts Service classificaon counts have been added

to the Service Classificaon drop-down menu.
Configurable columns for Issues list view As with the Services list view, you can now
choose and order the columns displayed on the
Issues list view.


The following table describes new features in the Cortex® Xpanse™ July 2021 release.
New Issue Policies • Kaseya VSA

• Cisco Unified Compung System
• 2xx Soware Development Environment
• Teamviewer
• Dell Wyse Management Suite
• Cisco HyperFlex
• Insecure Microso IIS Server – updated the
versions captured by this policy
• Microso IIS Server
• Cisco Adapve Security Appliance (ASA)
• A10 Networks Thunder Applicaon Delivery
Controller (ADC)
• SolarWinds Serv-U
• Axis Network Camera
• Oracle PeopleSo PeopleTools
• Oracle PeopleSo (other)
• DZS Dasan Router
Update to the IP Ranges API The IP Ranges API has been rewrien and
replaced, which should result in significantly
faster performance for larger users.
Update to Related Registraon Records On the details page for a custom IP range,
the Related Registraon Records secon will
display the related registraon records for
specified custom range only. It will no longer
display the registraon records for the enre
parent range.
Update default filtering for Services Directly Discovered is now the default
Discovery Method filter for Services.
Addion of Has Issue column and filter to A new filter called Has Issue has been added to
Domains and Cerficates tabs the Assets>Cerficates and Assets>Domains
tabs. These links in the Issue column click
through to the Issues page with a filter applied
by asset. This funconality will be coming to IP
Ranges in the future.

Exact searching for domains in Issues and You can now search for an exact match for
Services modules domain names on the Issues and Services
pages by placing your query in quotes.
For example, searches for “example.com”
will return only matches for example.com
and will NOT return results such as
subdomain.example.com. This update is
accessible via UI and API.
Addion of "Has Issue" column and filter to NIST 800-53 Compliance Assessments
Domains and Cerficates dashboard now includes addional policies that
we have been releasing to Expander as well as
updates to mappings for previous policies in an
effort to make the data more operaonal.
Features Released in June 2021

The following table describes new features in the Cortex® Xpanse™ June 2021 release.
New Issue Policies • Networking Infrastructure (updated)

• PhpRedis Login Portal
• Apache AcveMQ
• Nagios Core
• Nagios XI
• Squid Web Proxy
• Hadoop Server
• Insecure Python Applicaons
• Cisco Content Security Management
Appliance
• Dnsmasq
• Cisco Unified Communicaons Manager
• Cross Domain Sighngs Policy
• Oracle E-Business Suite
Unmanaged Cloud feature availability The Unmanaged Cloud feature is now available
to all customers. The Unmanaged Cloud
Overview dashboard will also be displayed for
all customers, but will not have any data unl a
Prisma API key has been added.

Update Select All to always be visible in Updated the Issue Type and Service
drop-down menus Classificaon drop-down menus to improve
filtering. With this change, the All Opons
selecon at the top of the drop-down is always
visible, eliminang the need to scroll to the top
of the list to select or deselect it.
Registrant and Issuer Filters A new filter was added to the Assets>Domains
page for Domain Registrar and a new filter
was added to the Assets>Cerficates page
for Cerficate Issuers. You can now drill down
from the Aack Surface Overview dashboard
to those two modules.
Account ID filter for Cloud Resources A new filter was added to the Assets>Managed
Cloud Resources page for CSP account IDs,
enabling cloud resources to be filtered by the
originang account for the resource.
Default list view size The default list views (Issues, Services, Policies,
etc.) have been updated to show 50 per page,
instead of 20.
Tech Partners Page Palo Alto Networks Tech Partners site is the
new home for our third-party integraon
documentaon.
Features Released in May 2021

The following table describes new features in the Cortex® Xpanse™ May 2021 release.
New Issue Policies • Insecure Atlassian Crowd

• Zoho ManageEngine ServiceDesk Plus
• Atlassian Confluence Server
• Insecure Atlassian Confluence Server
• Joomla! Core
• Cisco Firepower Threat Defense
Management Interface
• Redis Enterprise Login Portal
• Cisco Small Business RV Series Router
• Microso OWA Server (update)
• OpenSSH

• Co-Located F5 BIG-IP TMUI
• VMware Workspace One Administrave
Configurator
• Exim Mail Transfer Agent
• WordPress Administraon Page
• VMware Carbon Black
• Cisco Data Center Network Manager
• PostgreSQL pgweb Login Portal
• PostgreSQL pgAdmin Login Portal
• Redis Enterprise Login Portal
• Redis Commander Login Portal
• PhpRedis Login Portal
• HashiCorp Consul Login Portal
• Atlassian Jira Server
• Cisco NX-OS
• PHP
• VMware Workspace One Administrave
Configurator
Other Updates • In services, we have introduced a new label

for each service aggregate (recentIp,
recentDomain, recentTlsVersion,
recentCert, and classifications)
called activityStatus which will reflect
the acveness of that aggregate.
• The filtering behavior for the
activityStatus filter has also been
modified. Filtering on acve services and
filtering on any classificaon, provider,
Ip, or domain will only filter on acve
services that have acve aggregates with
the filtered value.
• NIST 800-53 Compliance Assessment
Dashboard is now GA’ed
• Added Assets Under Management (AUM)
widget to the Aack Surface Overview
Dashboard
• Policy Explainers are now available in the
product in user interface and API.

Features Releases in April 2021

The following table describes new features in the Cortex® Xpanse™ April 2021 release.
New Issue Policies • Zyxel Firewall—This policy idenfies Zyxel

Firewalls.
• Cisco Webex Meengs Server—This policy
idenfies Cisco Webex Meengs Servers.
• ZoHo ManageEngine Desktop Central—
This policy idenfies ZoHo ManageEngine
Desktop Central.
• F5 Advanced Web Applicaon Firewall—
This policy idenfies F5 Advanced Web
Applicaon Firewall.
• F5 BIG-IP Access Policy Manager—This
policy idenfies F5 BIG-IP Access Policy
Manager.
• Microso Power BI—This policy idenfies
Microso Power BI.
• Fornet Policies—This policy idenfies a
number of Fornet devices that were the
subject of some crical CVEs.
• Cisco IOS XE
• RSA Archer
• Citrix Gateway
• Adobe ColdFusion
• Integrated Dell Remote Access Control
(iDRAC)
• SaltStack Enterprise Login Portal
• Apache Spark
• Adobe Connect
• Accellion FTA
• Nagios Device
• Insecure Microso Exchange Server
(Update)
• Synacore Zimbra
• (Zero day) Pulse Secure Pulse Connect VPN
• (Zero day) SonicWall Email Security

Toolps on dashboards Added a new toolp on trend charts for the

Issues Overview and Aack Surface Overview
to explain the number in the widget.
Cortex Xpanse Rebranding Cortex Xpanse Expander re-branding has been

completed with updated logos and changes
from “Expanse” to “Cortex Xpanse” in the
product and KnowledgeBase.

The following table describes new features in the Cortex® Xpanse™ March 2021 release.
New Issue Policies • Insecure Node.js—Node.js is an open source

server environment that uses JavaScript on
the server. Node.js server-side JavaScript
allows developers to work on both frontend
and backend, code in the same language
and build fast scalable web applicaons.
This issue idenfies Node.js servers running
Express, Koa, and Sails web frameworks,
and flags version ranges 15.0.0-15.2.0,
14.0.0-14.15.0, and 12.0.0-12.19.0.
Compromise of a Node.js applicaon with
affected versions could allow an aacker to
trigger a Denial of Service. This is fixed in
15.2.1, 14.15.1, and 12.19.1.
• VMware vCenter Admin Page—This policy
idenfies an administrave login page for
VMware vCenter, which is crical network
infrastructure.
• Fornet Device—This policy idenfies a
variety of Fornet devices that are exposed
to the internet. It is not available by default
for all customers.
• F5 BIG-IQ Server—This issue enumerates
the F5 BIG-IQ login portal. F5 BIG-IQ
Centralized Management provides a unified
point of visibility and control to manage
policies, licenses, SSL cerficates, images,
and configuraons for F5’s BIG-IP family of
products.

• F5 BIG-IP TMUI—Updates to the exisng
policy.
• HPE ProLiant Server—This policy detects
HPE ProLiant Servers. It is off by default.
• Insecure SIP Server—This is a new policy
specifically to detect insecure SIP servers.
It is a subset of the previously exisng SIP
Server policy. It is off by default
• Microso Exchange, OWA—We improved
detecon of our exisng Microso
Exchange and Outlook Web Access (OWA)
policies.
• Insecure Microso Exchange Server—This
issue flags on-premises Microso Exchange
Servers that are vulnerable to the zero-day
exploits described by Microso in March
2021 and used by the Hafnium threat actor
(HAFNIUM targeng Exchange Servers
with 0-day exploits – Microso Security).
The vulnerabilies idenfied by Microso
are CVE-2021-26855, CVE-2021-26857,
CVE-2021-26858, and CVE-2021-27065. It
is on by default.
Dashboards: Services Count and Providers Users can now click on the summary Services
Chart Now Include Drill-through count or the Go to... link in the Providers chart
in the Aack Surface Overview dashboard in
order to review more details about the relevant
Services within the List View.
Update to Issues List view Based on user feedback that the First Added
column was occasionally confusing, we have
replaced it with the column First Observed.
Dashboards: Y-axis adjustments Updated the Y-Axis of all trend widgets on

both the Issues Overview and Aack Surface
Overview dashboards to beer emphasize the
actual trend and changes in data.
Dashboards: Map View Released the Map view on the Issues

Overview Dashboard.
IP Details Page The new IP Details page has shipped. This page
allows users to pivot around a single device
(IP address) and look for all the related issues,
services, cerficates, domains, etc.

Features Released in February 2021

The following table describes new features in the Cortex® Xpanse™ February 2021 release.
New Issue Policies • Zyxel WLAN Access Point Controller—

Medium – Zyxel Networks Corporaon’s
Wireless LAN Controllers are all-in-one,
intelligent wireless LAN controllers for
centralized WLAN management and auto
provisioning. This issue idenfies Zyxel
Wireless LAN 2000/5000 series controllers.
Some of these devices were revealed to
have a default password sll set, as of
January 2021.
• Citrix Applicaon Delivery Controller—
Medium – This policy covers detecon for
two devices from Citrix:
• Citrix ADC (aka Netscaler ADC)
• Citrix Gateway (AKA Netscaler Gateway)
• Insecure Citrix Applicaon Delivery
Controller—High – This policy highlights
versions of the Citrix Applicaon Delivery
Controller which may be vulnerable to
CVE-2019-19781.
• F5 BIG-IP Access Policy Manager—Low
– BIG-IP Access Policy Manager (APM)
is an access management proxy soluon
maintained by F5 Networks, Inc. F5 BIG-IP
APM consolidates remote, mobile, network,
virtual, and web access, and funcons as an
identy aware proxy that puts an Auth/SSO
wall in front of other applicaons. This issue
idenfies the F5 BIG-IP APM landing page.
• IKEv1 Server—Medium – This issue
enumerates IKEv1servers. Internet Key
Exchange (IKE, somemes IKEv1 or IKEv2,
depending on version) is the protocol
used to set up a security associaon (SA)
in the IPsec protocol suite. IKEv1, an
older version of the protocol, is generally
vulnerable to several known exploits in
implementaons of IKEv1 in firewalls and
networking gear that supports IPsec VPN
tunnels. Compromise of IKEv1 could allow

an adversary to bypass authencaon and
impersonate clients or servers.
• SonicWall Secure Mobile Access VPN—
Low – SonicWall released an urgent security
noce of an ongoing invesgaon into
probable zero-day vulnerabilies with
its SMA 100 Series products. SonicWall
SMA is a remote access gateway offering
applicaon-level VPN, granular access
control, and device authorizaon to access
corporate resources hosted on-prem, and
in cloud and hybrid data centers. The SMA
100 series (SMA 200, SMA 210, SMA
400, SMA 410, SMA 500v model vpns)
running SMA 8.x/9.x/10.x remains under
invesgaon and should be acknowledged
as potenally insecure. This issue finds
SonicWall Secure Mobile Access (SMA)
VPN devices. While this issue does not
find model numbers, some server/soware
numbers and versions of soware on login
pages are able to be discovered, and are
displayed where observed.
• UPDATED: Oracle WebLogic Server—
Medium – This issue has been updated
with enhanced signatures to find addional
WebLogic servers.
• Oracle Fusion Middleware—Medium
– Oracle Fusion Middleware is a suite
of products from Oracle Corporaon
that facilitates infrastructure to create
business applicaons. It can communicate
with mulple services, including Oracle
WebLogic (a Java EE applicaon server),
HTTP servers, integraon services, business
intelligence, and content management.
This issue idenfies web servers that have
Fusion Middleware deployed by idenfying
the Oracle Fusion Middleware splash/
documentaon page.
• Cisco SD-WAN—Medium – Cisco SD-WAN
is a soware-defined wide area network
management soluon that is managed
through Cisco’s vManage interface. While
this issue does not find versions of the SD-
WAN soware, it idenfies the Cisco SD-
WAN login-page.

• Schneider Electric PowerChute—Medium
– PowerChute Business Edion is a
Schneider Electric soware product for
UPS management, graceful shutdown and
energy management capabilies. This issue
idenfies agent web UI and logging features
of PowerChute 9.2.1 and below.
• Adobe Experience Manager—Medium
• Cisco Integrated Management Controller
(IMC)—Medium – This issue idenfies
Cisco Integrated Management Controllers
(CIMC/IMC), a baseboard management
controller that provides embedded server
management for Cisco UCS C-Series Rack
Servers and Cisco UCS S-Series Storage
Servers. There are several vulnerabilies
in the API subsystem of CIMC, though
this issue does not specifically flag the
vulnerable version types.
• SAP BusinessObjects BI Plaorm —Medium
– SAP BusinessObjects Business Intelligence
Plaorm is a centralized suite for data
reporng, visualizaon, sharing, and analysis
with BusinessObjects WebIntelligence,
Analycs Cloud, and SAP Crystal Reports.
This issue enumerates instances of the
SAP BusinessObjects Central Management
Console (CMC), a web-based tool used to
perform administrave tasks, including user
management, content management, and
server management.
Select All Opon added to Dropdown Filters We have added a more convenient select all
buon at the top of every drop-down filter,
which can be used to more easily select either
very few values or nearly all (“n-1”) values.
Aack Surface Overview Dashboard now We have updated the default status filter for
Defaults to “All Statuses” the Aack Surface Overview to All Statuses to
improve customer convenience.
Bug Fixes Dashboards no longer show non-available filter

opons within the sengs panel.

Features Released in January 2021

The following table describes new features in the Cortex® Xpanse™ January 2021 release.
New Issue Policies • OpenSSL—Low – OpenSSL is a commonly

used toolkit and cryptography library for
TLS and SSL protocols. This issue idenfies
OpenSSL strings in HTTP, FTP, and SSH
data.
• VMware vSphere—Medium – VMware
vSphere is an enterprise virtualizaon
plaorm for managing fleets of servers,
virtual machines, and ESXi/ESX hypervisors.
This issue idenfies vSphere administraon
clients that are exposed to the internet.
• Cisco Secure Web Appliance—Medium
• Unclaimed S3 Bucket—High – Amazon
Simple Storage Service (or Amazon S3) is a
service offered by AWS that provides object
storage through a web interface. S3 buckets
serve as the containers for objects, similar
to file folders, and can also be configured
for website hosng to serve stac content
as web servers. S3 buckets are bound to a
parcular domain. When a domain name
(CNAME record) points to an S3 bucket that
is not defined, anyone can register the S3
bucket, place content there and masquerade
as the company. This is one instance of
what’s known as subdomain hijacking.
• JetBrains TeamCity Server—Medium –
TeamCity is a connuous integraon/
connuous delivery (CI/CD) plaorm used
to automacally test and build soware
from a source code repository. Compromise
of a TeamCity deployment or other CI/
CD service could allow an adversary to
compromise the soware being built to
create a downstream security risk, access
source code, or pivot elsewhere within
a target network. As a result, TeamCity
servers generally should not be exposed to
the public Internet.
• Default Apache Tomcat Page—Low – This
issue shows that a default Apache Tomcat
landing page has been found. This can be a

proxy for finding the Tomcat Management
Portal as the landing page contains a buon
with a link to the management app. While
the discovery scan does not actually “click
the buon” to download and run the
management app, it flags the presence of
the buon displayed on the default landing
page. Compromise of a Tomcat landing
page could allow an adversary to connect
to the management portal, change the
configuraon, upload new applicaons, or
run arbitrary code on the server.
Issues Overview Dashboard This dashboard introduces many new charts

and filters for monitoring your network risk and
progress remediang Issues. As with our other
new Dashboard pages this view supports an
array of filter opons and includes a buon for
sharing your current page and filter set with
other users of the same Expander network.
Dashboard Time Series Export Opons Users can now export Expander dashboard
me series charts as png, svg, or csv.
Add “No Risk” Progress Status Users now have an addional Progress Status
within the Closed sub-category to classify
Issues determined to have migang controls
or valid policy excepons without declaring
them to be Acceptable Risk or Resolved.
Sengs Page Redesign Users can now find their Issues digest and
change password sengs within a top-level tab
in Expander.
Bug Fixes Resolved Issue that prevented the Provider

value from appearing on the Issues detail page.


Assess Release Informaon
Cortex® Xpanse™ is a cloud-based subscripon that provides a complete and accurate
inventory of an organizaon’s global internet-facing assets and misconfiguraons.
Xpanse discovers, evaluates, and migates an external aack surface without the need
for any installaon or agents. Cortex Xpanse Assess provides a comprehensive, point-
in-me assessment of your organizaon’s aack surface, with the ability to run a new
assessments as needed.
The following topics describe the new features and enhancements introduced in
Cortex® Xpanse™ Assess releases.
> Features Released in September 2022

> Features Released in August 2022
> Features Released in July 2022
> Features Released in April 2022
> Features Released in March 2022
For addional informaon on how to use new features, refer to the Cortex Xpanse
Assess User Guide.
35

The following table describes the Cortex® Xpanse™ Assess features and enhancements released
in September 2022.
For the list of new issue polices, see New Issue Policies. See for the complete list of new features
released for Cortex Xpanse Assess.
Issue Discovery Path Issue Discovery Path is a new piece of

informaon that appears on issue details pages
in Expander. Issue Discovery Path explains how
an issue was discovered and how it relates to
other enes such as your assets and services.


in August 2022.
For the list of new issue polices, see New Issue Policies.
Cortex Xpanse Assess v2 Cortex Xpanse Assess v2 introduces the

following funconality:
• You can now kick off a new assessment
using the Run assessment buon,
without having to send an email. The Run
assessment buon is disabled when a
new assessment is in progress to prevent
duplicate assessment requests
• View your up-to-date balance of
assessments purchased and consumed
• View your assessment usage history across
mulple yearly contract periods, including
the status of each assessment (in progress,
complete), as well as the reason each
assessment was requested
See Cortex Xpanse Assess for more
informaon.
Responsive IP asset type added to Asset Responsive IPs have been added as an asset
Inventory type in the Asset Inventory. Responsive IPs
are dynamically created when Xpanse detects
a responsive service running on an IP address
associated with one of your organizaon's IP
Ranges. Responsive IPs are linked to these
IP Ranges and inherit details from their
associated range, such as registraon details
and any assigned tags. Responsive IPs become
inacve 30 days aer all related services
become inacve.


in July 2022.
Asset Inventory View The new Asset Inventory view displays a

comprehensive list of your assets along with
key data about each asset, enabling you to
search, sort, and filter your enre asset list
from one interface. The Inventory can be found
on the Assets tab in Cortex Xpanse Assess.
The asset type list view pages (IP Ranges,
Cerficates, Domains, etc.) are sll available
and can now be sorted and filtered on the
issues and services associated with an asset.
For more informaon, see Assets in the Cortex
Xpanse Assess User Guide.
Remediaon Guidance The Remediaon Guidance feature

provides a set of high-level, aconable
steps recommended by Cortex Xpanse for
remediang an issue. Remediaon Guidance
includes insights around the risk of exposing
the service or applicaon, whether that risk is
acceptable or not, what steps should be taken
to take the service off the internet or what to
do when that acon is not possible, and, when
available, links to Palo Alto Networks Unit 42
research on that issue.
Remediaon guidance can be found in the How
to Remediate secon of the issue details page
in Expander.
Note that not all issues have remediaon
guidance yet. Cortex Xpanse will connue to
add remediaon guidance for more issues in
future releases.

Features Released in April 2022

in April 2022.
Inferred CVEs The Inferred CVE Enhancement funconality

is now available for all users. This allows users
to see any potenally applicable inferred CVEs
in the Services Details View, or to search the
product by CVE-ID (CVE-YYYY-XXXXX) to find
any potenally affected assets. Note that this
funconality does not confirm the presence or
absence of a CVE. For more informaon about
the Inferred CVE enhancement, see Inferred
CVEs.
Other Enhancements The number of recent IPs returned with the

cerficates list API was increased to 10,000
from 100.


The following table lists the new features in the March 2022 release of Cortex® Xpanse™ Assess.
Introducing Cortex® Xpanse™ Assess Xpanse Assess is a soware-as-a-service web

applicaon that provides a comprehensive,
point-in-me assessment of your organizaon’s
aack surface. Xpanse Assess enables you to
run new assessments as needed from within
the Cortex Xpanse web applicaon. APIs and
integraons are not included with Assess.
Xpanse Assess uses the Cortex Xpanse
plaorm, which collects and correlates
acve and passive informaon about every
device and service connected to the public
Internet. Using this informaon, Cortex Xpanse
aributes assets to specific organizaons,
idenfying weaknesses in your organizaon’s
known infrastructure and helping you discover
and protect previously unknown Internet-
connected systems.
Cortex Xpanse provides four key modules that
enable organizaons to track and secure their
internet-facing assets and infrastructure.
• Assets —The Assets module provides an
inventory of all internet assets that Expanse
has aributed to an organizaon, including
their IP ranges, cerficates, domains, and
cloud resources.
• Services —The Services module provides an
inventory of all soware and services that
are connected to the public-facing internet
including observable details about soware
versions, configuraons, and framework
technologies.
• Issues —The Issues module and the
flexible Policy Engine idenfy security
and configuraon problems within an
organizaon's Assets and Services, providing
a workflow where analysts can invesgate,
priorize, track their efforts to remediate
outstanding problems, and independently
confirm they have been corrected.

• Dashboards —The Dashboards module
provides reporng on the current and
historical state of an organizaon's Assets,
Services, and Issues, giving insight into
trends and helping leaders idenfy key
topics and business units to focus on
to improve the security posture of their
organizaon.
See the Cortex Xpanse Assess User Guide for
more informaon.


New Issue Policies
The following topics list the Cortex Xpanse issue policies that were introduced or
updated each month. These policies apply to both Cortex Xpanse Expander and
Cortex Xpanse Assess.
> New Policies in > New Policies in May
October 2022 2022
> New Policies in > New Policies in April
September 2022 2022
> New Policies in > New Policies in March
August 2022 2022
> New Policies in July > New Policies in
2022 February 2022
> New Policies in June > New Policies in
2022 January 2022
Refer to the Cortex Xpanse User Guideor Cortex Xpanse Assess User Guide for more
informaon about issue policies.
43
New Issue Policies
New Policies in October 2022

The issue policies listed below apply to both Cortex Xpanse Expander and Cortex Xpanse Assess.
These policies were introduced or updated in October 2022.
New policies:
• Cisco Secure Access Control System & Insecure Cisco Secure Access Control System
• Google WebFramework Angular
• IBM Cognos Analycs
• Moxa MXview
• Quest KACE System Management Appliance & Insecure Quest KACE System Management
Appliance
• PrimeTek PrimeFaces and Insecure PrimeTek PrimeFaces
• WatchGuard Firebox
• Zoho ManageEngine Access Manager Plus
• Zoho ManageEngine PAM360
• Zoho ManageEngine Password Manager Pro & Insecure Zoho ManageEngine Password
Manager Pro

New Issue Policies
New Policies in September 2022

These policies were introduced or updated in August 2022.
New policies:
• SonicWall SonicOS & Insecure SonicWall SonicOS
• Insecure Atlassian Bamboo—Includes versions impacted by CVE-2022-26136 and
CVE-2022-26137.
• Atlassian Crucible and Insecure Atlassian Crucible
• Atlassian Fisheye & Insecure Atlassian Fisheye
• Zoho ManageEngine OpManage
• Clario Clinical Trial Management Systems
• Fujifilm Synapse RIS
Updated policies:
• Insecure Atlassian Confluence Server and Insecure Atlassian Confluence Data Center—Updated
to include versions vulnerable to CVE-2022-26136 and CVE-2022-26137.
• Insecure Drupal Web Server—Updated to check for CVE-2022-25277.

New Issue Policies
New Policies in August 2022

These policies were introduced or updated in August 2022.
New policies:
• Amazon FreeRTOS Operang System
• Amazon Simple Storage Service (S3)
• AMQP Server and Co-Located AMQP Server
• Apache Airflow
• Arcadyan Buffalo Routers
• Arcserve Unified Data Protecon
• Check Point SSL VPN
• Cisco Applicaon Policy Infrastructure Controller (APIC)
• Cisco Catalyst Switch
• Cisco Prime Collaboraon Provisioning
• Cisco Small Business Switch
• Cisco TelePresence Infrastructure
• CWMP Auto Configuraon Server
• D-Link DIR-610 Device—Insecure and Regular policies
• Gogs
• LDAP Server
• Libssh
• LG NAS
• Meta Pixel
• Microso Acve Directory Federaon Services (ADFS)
• Mitel MiVoice Business Express
• Mitel MiCollab
• MobileIron Core—Regular and Insecure
• Netwrix Auditor
• OpenVPN Server and Co-located OpenVPN Server
• Oracle Solaris
• Pulse Policy Secure NAC
• Realtek Device
• Sitecore Plaorm
• SolarWinds Virtualizaon Manager
• SonicWall Global Management System (GMS)

New Issue Policies
• Regular and Insecure Policies for Sophos Firewall OS

• Tatsu Wordpress Plugin
• TeamViewer Remote Server and Co-Located TeamViewer Remote Server
• Telerik
• Wordpress Social Warfare Plugin—Regular and Insecure Policies
• Yealink Networking Device
• Zyxel NAS Device
Updated policies:
• Atlassian Jira—The Atlassian Jira Server policy has been updated to beer idenfy the product
as well as idenfying Atlassian Jira Service Management.
• Nagios Device—Updated to add a Nagios Device Selector
• Pulse Secure Connect VPN—Updated the Pulse Secure Connect VPN policy to idenfy version
numbers under certain circumstances.
• Synacor Zimbra Collaboraon Suite—Updated the Synacor Zimbra Collaboraon Suite policy to
include a POP3 selector.
• VMware Workspace ONE Access Server—The VMware Workspace ONE Access Server policy
was updated to improve idenficaon and collect addional informaon.
• Zyxel Firewall—Updated the Zyxel Firewall policy to include USG, VPN, and ATP products.

New Issue Policies
New Policies in July 2022

The following Cortex Xpanse issue policies apply to both Cortex Xpanse Expander and Cortex
Xpanse Assess. These policies were introduced or updated in July 2022:
• Oracle Business Intelligence
• Amcrest Technologies Camera
• TVT NVMS Video Management
• Sonatype Nexus Repository Manager
• RTI Connext DDS
• Hewle Packard Applicaon Lifecycle Management (ALM)
• QNAP Network Aached Storage (NAS)—This policy idenfies QNAP NAS structures as well as
associated online portals. Model numbers and the model series are idenfied, version numbers
of NASFTPD are also extracted.
• NETGEAR DGN Series Router
• NETGEAR WNR Series Router
• Insecure Hikvision Device—This policy idenfies Hikvision devices that are vulnerable to
CVE-2021-36260.
• Insecure Apache Web Server—Update to Insecure Apache Web Server to flag now outdated
version (2.4.53) as Apache Web Server recently released 2.4.54.
• Dell OpenManage Enterprise
• BQE BillQuick Billing Soware
• Regular and Insecure Policies for Cisco Evolved Programmable Network Manager (EPNM)
• SAP Internet Communicaon Framework
• Pi-Hole
• PlaySMS
• Microfocus Access Manager
• Insecure Jenkins Server
• Rejeo HTTP File Server (HFS)—Policy for insecure and regular versions.
• PhpMyAdmin
• Zoho ManageEngine ADAudit Plus—Policy for insecure and regular versions.
• Redhat JBoss Enterprise Applicaon Plaorm
• Cisco Webex Meengs Server—Updated to remove overlap with the SolarWinds policy.

New Issue Policies
New Policies in June 2022

Xpanse Assess. These policies were introduced or updated in June 2022:
• TP-Link Device
• EyesOfNetwork
• Palo Alto Networks Panorama
• RBC - jQuery
• DotNetNuke CMS
• D-Link ShareCenter NAS
• Dell EMC NetWorker
• Cisco Unity Connecon
• WSO2 Identy Server
• WSO2 API Manager
• WSO2 Enterprise Integrator

New Issue Policies
New Policies in May 2022

Xpanse Assess. These policies were introduced or updated in May 2022:
• SAP Business One
• TerraMaster Operang System and Insecure TerraMaster Operang System
• EmbedThis GoAhead Web Server
• SSH Server CBC Mode Ciphers Enabled
• Cisco Duo SSO
• F5 BIG-IP Plaorm
• rConfig Network Configuraon Management
• Fornet Forgate SSL VPN—This policy has been separated out from the Fornet Device policy
to provide extra clarificaon around the specific device and issue found.
• SSL/TLS Ciphers Vulnerable to SWEET32
• Insecure Cisco Small Business RV Series Router—This policy now flags Cisco Small Business RV
Series Routers vulnerable to CVE-2018-0125.
• Splunk Plaorm & Splunk Universal Forwarder
Refer to the Cortex Xpanse User Guide or Cortex Xpanse Assess User Guide for more informaon
about policies.

New Issue Policies
New Policies in April 2022

Xpanse Assess. These policies were introduced or updated in April 2022:
• Advantech HMI
• Django Admin Page
• Insecure Apache Web Server Update—This policy now detects CVE-2022-22719,
CVE-2022-22720, CVE-2022-22721, and CVE-2022-23943.
• Jamf Pro
• Kaspersky Security Center
• Microso RDP Web Client
• MiniOrange SSO
• SSL/TLS CBC Ciphers Enabled
• SSL/TLS RSA_EXPORT Ciphers Vulnerable to FREAK
• ThinkPHP
• Unraid Network Aached Storage
• VMware Spring Framework
Refer to the Cortex Xpanse User Guideor Cortex Xpanse Assess User Guide for more informaon
about policies.

New Issue Policies
New Policies in March 2022

Xpanse Assess. These policies were introduced or updated in March 2022:
• Adobe Commerce—This policy idenfies indicators for both Magento Open Source and Adobe
Commerce. Version numbers are not idenfied.
• Apache Shiro
• Argo CD
• APC Smart-UPS
• ForgeRock Access Management (AM) Server
• Gitea
• Github Enterprise
• HashiCorp Vault
• IBM Planning Analycs
• Insecure Cisco Small Business RV Series Router—This policy was updated to detect
CVE-2019-1653.
• Insecure SolarWinds Orion Plaorm policy has been updated to mark versions 2020.2.6 or
earlier as vulnerable
• Microso OWA policy has been updated to idenfy numbers
• MongoDB Mongo-Express
• NetGear ProSafe—NetGear ProSafe under Soware idenfied in BOD 22-01
• Okta SSO
• OpenVMS Operang System
• Puppet Infrastructure
• SAP NetWeaver Applicaon Server—This policy was updated to enable version numbers to be
extracted under certain circumstances.
• Services Hosted in Adversary Country policy updated to include On Prem assets only
• Sophos SG Series Firewall—This policy idenfies a Sophos SG Series firewall, model and serial
number are idenfied where available.
• Sophos XG Series Firewall—This policy idenfies a Sophos XG Series firewall, model number is
idenfied where available.
• Sophos XGS Series Firewall—This policy idenfies a Sophos XGS Series firewall, model and
serial number are idenfied where available.
• Zabbix IT Monitoring Soware
• Zoho ManageEngine ADManager
• Zoho ManageEngine Desktop Central
• Zoho ManageEngine Desktop Central MSP—This policy idenfies the presence of Desktop
Central MSP on a host; the web UI may also be surfaced.

New Issue Policies
about policies.

New Issue Policies
New Policies in February 2022

Xpanse Assess. These policies were introduced or updated in February 2022:
• AppGate SDP
• Atlassian Bitbucket
• Cisco Firepower Device policy added to update Cisco Firepower detecon
• Hikvision Device
• IBM MQ
• Insecure Atlassian Confluence Servers policy updated to idenfy versions before 7.4.10 and
from 7.5.0 to 7.12.5
• Insecure ISC BIND 9—idenfies BIND 9 servers vulnerable to CVE-2021-25219
• Insecure Microso Exchange Server Policy Update—This policy now idenfies insecure versions
of Microso Exchange 2019 prior to Cumulave Update (CU) 10, Exchange 2016 prior to
CU21, and Exchange 2013 prior to CU23. This policy also idenfies all End-of-Life (EOL)
versions of Microso Exchange
• Insecure Node.js policy updated to idenfy versions 12.0.0-12.22.4, 14.0.0-14.17.4, and
16.0.0-16.6.1
• Insecure PHP
• ISC BIND 9
• Long Validity Cerficate policy was updated
• Microso Azure CycleCloud
• Roundcube Webmail
• Spiceworks
• Symantec Messaging Gateway
• VMware Workspace ONE UEM
• Wordpress Server policy updated to add the version extractor
about policies.

New Issue Policies
New Policies in January 2022

Xpanse Assess. These policies were introduced or updated in January 2022:
• Apache Hadoop Yarn Resource Manager
• Cisco Email Security Appliance (ESA)
• Cisco IOS
• Cisco Unified IP Phones
• Citrix ShareFile Server
• Citrix XenDesktop
• GitBucket
• H2 Database Console
• Insecure Apache policy updated to include all versions below 2.4.52
• Insecure MikroTik Router—idenfies insecure versions of MikroTik RouterOS through 6.42.
• Microso Dynamics NAV
• MikroTik Router—idenfies MikroTik Routers and administraon portals (RouterOS).
• OctoberCMS—an open-source Content Management System
• Palo Alto Networks Bridgecrew
• Schneider Electric EcoStruxure IT Gateway
• VMWare Horizon
• VMWare RabbitMQ Management Plugin
about policies.

New Issue Policies

Cortex Xpanse Release Notes

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cortex Xpanse Release Notes

Uploaded by

Copyright:

Available Formats

Cortex® Xpanse™ Release Notes

About the Documentaon

Cortex® Xpanse™ Release Notes 2 ©2022 Palo Alto Networks, Inc.

Assess Release Informaon...........................................................................35

New Issue Policies........................................................................................... 43

Cortex® Xpanse™ Release Notes 3 ©2022 Palo Alto Networks, Inc.

New Policies in March 2022.................................................................................................. 52

Cortex® Xpanse™ Release Notes 4 ©2022 Palo Alto Networks, Inc.

> Features Introduced in 2022

Features Introduced in 2022

Features Released in September 2022

Issue Discovery Path Issue Discovery Path is a new piece of

Features Released in August 2022

Cortex® Xpanse™ Release Notes 6 ©2022 Palo Alto Networks, Inc.

Features Released in July 2022

Asset Inventory View The new Asset Inventory view displays a

Assets v3 API The new Assets v3 API supports all asset

Remediaon Guidance The Remediaon Guidance feature

Cortex® Xpanse™ Release Notes 7 ©2022 Palo Alto Networks, Inc.

Features Released in May 2022

Features Released in April 2022

Cortex® Xpanse™ Release Notes 8 ©2022 Palo Alto Networks, Inc.

Inferred CVEs The Inferred CVE Enhancement funconality

Other Enhancements The number of recent IPs returned with the

New Issue Policies • Insecure Apache Web Server Update—

Cortex® Xpanse™ Release Notes 9 ©2022 Palo Alto Networks, Inc.

Features Released in March 2022

New Issue Policies • Okta SSO

Cortex® Xpanse™ Release Notes 10 ©2022 Palo Alto Networks, Inc.

Cortex® Xpanse™ Release Notes 11 ©2022 Palo Alto Networks, Inc.

Features Released in February 2022

New Issue Policies • Long Validity Cerﬁcate policy was updated

Cortex® Xpanse™ Release Notes 12 ©2022 Palo Alto Networks, Inc.

Integraon Updates Xpanse TA for Splunk v.4.0.1

Addional Updates • Xpanse login page has been updated.

Cortex® Xpanse™ Release Notes 13 ©2022 Palo Alto Networks, Inc.

Features Released in January 2022

Updates to CMMC Compliance Assessment CMMC compliance mappings have been

New issue policies • Cisco Uniﬁed IP Phones

Cortex® Xpanse™ Release Notes 14 ©2022 Palo Alto Networks, Inc.

Cortex® Xpanse™ Release Notes 15 ©2022 Palo Alto Networks, Inc.

Features Introduced in 2021

Features Released in December 2021

Self-Service Client Credenals Cortex® Xpanse™ Expander now supports

New issue policies • Citrix SD-WAN

Cortex® Xpanse™ Release Notes 16 ©2022 Palo Alto Networks, Inc.

New issue policies to idenfy speciﬁc • Log4Shell-Vulnerable VMware Workspace

Features Released in November 2021

Cortex® Xpanse™ Release Notes 17 ©2022 Palo Alto Networks, Inc.

New Issue Policies • ForgeRock OpenAM

Cortex® Xpanse™ Release Notes 18 ©2022 Palo Alto Networks, Inc.

Addional Updates • Added the ability to ﬁlter by Provider on the

Features Released in October 2021

Issues Categorizaon Cortex® Xpanse™ Issues have been assigned

Features Released in September 2021

New Issue Policies • Citrix XenMobile Server

Cortex® Xpanse™ Release Notes 19 ©2022 Palo Alto Networks, Inc.

Addional Updates • ServiceNow SIR integraon is now

Cortex® Xpanse™ Release Notes 20 ©2022 Palo Alto Networks, Inc.

Features Released in August 2021

New Issue Policies • Cisco Small Business Series Wireless Access

Service classiﬁcaon counts Service classiﬁcaon counts have been added

Cortex® Xpanse™ Release Notes 21 ©2022 Palo Alto Networks, Inc.