What's New in Elements - November 2025

Extended Detection and Response

Email and Collaboration Protection

We have released an update containing a number of underlying libraries to improve performance, maintain compatibility and unify the use with other Elements Security Center components. Please note: These updates have resulted in minor adjustments to some UI styles.

Disclaimer in the email notifications

A new disclaimer message has been added to the external administrator email notifications with content configured in the policy. Disclaimer text is “You are receiving this email because your organization uses the WithSecure Elements Collaboration Protection solution, and an administrator has set up this notification. If you have any questions, please contact your administrator.”, in English.

Identity Security

Identity Inventory Capability

We have now introduced a new feature in WithSecure Elements Identity Security for Entra ID: the Identity Inventory capability.

How to Set Up:

Go to the Cloud → Microsoft tenants page in Elements.
Connect the new Identity Inventory capability by giving permission to read Entra ID data (no Azure subscription needed).
Wait for the scan to complete (it may take up to 36 hours).
View all identity data in Environments → Identities.

With Identity Inventory, you can easily see:

All users and service principals
Their types and roles
MFA (Multi-Factor Authentication) status.

This update gives you a clear view of identities in your Entra ID environment.

Exposure Management

We are happy to share new improvements.

Finding definitions tab added under Environment -> Exposure

The Finding Definitions page now lists all potential finding types that Exposure Management can detect—across vulnerabilities, identities, cloud assets, and external attack surfaces. Unlike the Findings tab, this view includes definitions even if no asset is currently affected. It supports pagination, saved filters, and navigation to related data, consistent with other XM views.

Service principal tab add under Environment -> Identities

The identities list now includes Entra service principals alongside users, providing basic information for each service principal. It supports pagination, saved filters, and navigation to related data, consistent with other XM views.

Vulnerability reports now have a new home

Vulnerability reports view are now available also under common Elements Reports > Email Notifications and report

The existing Reports > Vulnerability reports will run side by side until it's totally deprecated in favor of its new home

Identities page shows only active Identities by default

The Identities page now has a new default filter to show only identities with enabled account status for both Users and Service principals. To see all the identities, filter can be removed.

Scoring clarifications

To clarify how XM scoring works, info bubbles have been added to all relevant risk and impact columns in the Findings and Asset widgets, lists, as well as in recommendation and Findings details pages

Attack path visualization

The Attack Path visualization has now been updated to show verified connections between nodes in the attack path diagrams.

An option to show verified network connections has been added to the main Attack Path visualization view. This option is enabled by default and may be toggled through the control panel.

Connections are green when verified connection findings are available. Connections are shown as dashed lines where verifications are unavailable. Verifications will not be possible if the source node does not have the EDR agent installed. The step flyout now includes fields that show which ports are reachable from the source node. The legend panel includes new explanatory text and a key for the new line styles. The Attack Path simulator discards findings older than 30 days.

Exposure Management for Business

WithSecure Vulnerability Management

Resolved an issue where the Overall Status widget continued to display outdated vulnerability data even after all assets and scans were removed. The widget now correctly shows no data when no assets or scans are present.
Resolved an issue where email notifications about low disk space on scan nodes were not being sent.
Added a popup announcing the removal of the Vulnerability Users page by the end of 2025.
Added pop-up notifications to inform users about the upcoming removal of the following pages by the end of 2025:
- Home → Vulnerabilities,
- Reports → Vulnerability reports,
- Exposure → Vulnerabilities,
- Exposure → Vulnerability coverage.

System Scan

Support for detecting vulnerabilities in the following products was added to Authenticated Scanning:

Apache Flink CDC

Support for detecting vulnerabilities in the following products was added to Authenticated Scanning for Windows:

AutoHotkey
Bambu Studio
baramundi Management Agent
Dell Display and Peripheral Manager
Eaton Intelligent Power Protector
HP Client Management Script Library
MailStore Outlook Add-in
Netbird VPN
Nixdorf Wincor PORT IO Driver
NVIDIA App
NVIDIA Nsight Graphics
QNAP NetBak Replicator
Raspberry Pi Imager
Serviceware Processes
Sony Optical Disc Archive Software
Stashcat

Elements Foundations

Elements Security Center

Detection & Response Reports

In line with our plans for unification and streamlining the reporting experience, the Detection & Response Reports view in Elements has now been transitioned to read-only mode.

What does this mean?

You can no longer create new schedulers or modify existing ones in the Detection & Response Reports view.
Existing active schedulers will continue to generate reports, and you can still download these reports as usual, until the view is fully removed.

What should you do next?We encourage you to start using the My Report tab and set up your report there as soon as possible. My Report provides all the same reporting capabilities as the previous view - and even more. It offers an improved and more intuitive experience, with ongoing enhancements and new features planned. Moving to My Report now will ensure you have uninterrupted access to your reports and benefit from the latest updates.

The complete removal of the Detection & Response Reports view is planned for Q1 2026.

Endpoint Protection access now available across multiple organizations

Elements Security Center users (security administrators) can now be granted Endpoint Protection access to multiple organizations. This eliminates the need for email plus addressing (example+subaddress@example .com) to create additional W/ Business Accounts for a user’s base email address.

Previously, Elements Security Center users could hold roles in multiple organizations, except for Endpoint Protection roles. This exception has now been removed, and the other roles function as before.

Example

Suppose these two plus-addressed user accounts granted partner administrator Jon Doe access to only two of 10 companies under the partner’s Solution Provider:

john.doe+A @Doe .com accesses company A.
john.doe+B @Doe .com accesses company B.

Jon Doe had to log into Elements Security Center twice to work with companies A and B. Now, plus-addressed accounts are unnecessary. They can be replaced with a single john.doe @Doe .com account. The IAM administrator for the Solution Provider managing companies A and B (among 10 total) can grant Jon Doe access to both companies:

Go to Elements Management > Organization Settings > Security Administrators view
Change scope to company A
Click “Add administrator” and enter john.doe @Doe .com
Assign Endpoint Protection (or other) roles
Click “Add”
Change scope to company B
Repeat steps 3-5 to assign roles for company B

Afterward, the user account john.doe @Doe .com sees companies A and B in the scope selector and can switch between them without separate accounts.

Effect on partner and company-level views

When a user is granted the EPP role at the partner level, it affects partner-level views. These views are not influenced by company-level role assignments, which neither restrict nor extend partner-level permissions when the partner organization is selected as the current view.

When viewing a single company, the EPP role granted to a user at the company level extends (i.e., adds to) the roles assigned at - and inherited from - the partner level.

Example

John Doe (john.doe @Doe .com) has read-only access to Solution Provider in the role Computers & mobiles: Read-only. He can list devices for companies A and B managed in this Solution Provider but cannot modify them due to lacking full editing rights. John can use the scope selector to direct Elements Security Center portal views to companies A or B, where he retains read-only permissions.

The Solution Provider IAM Administrator can grant John Doe the Computers & mobiles: Full editing role for company A only:

Go to Elements Management > Organization Settings > Security Administrators view
Change scope to company A
Click “Add administrator” and enter john.doe @Doe .com
Assign the Computers & mobiles: Full editing role
Click “Add”

When John selects Solution Provider as scope, device lists for companies A and B remain read-only per partner-level access. Changing scope to company A enables him to edit devices there, while access to company B stays read-only.

Access across partner hierarchies

Cross-tenant security policy prevents access to company and partner organizations under different Solution Providers by default.

A user with access to an organization under one Solution Provider cannot be added to an organization under another Solution Provider unless WithSecure links the two Solution Providers with a trust relationship. Once a user account associates with one Solution Provider, attempting to grant permissions for an organization under another Solution Provider causes a “User cannot be added to this organization” error in the Security Administrators view.

Recommended action on email plus addressing (example+subaddress@example .com)

You can now use your primary account and email to add EPP access for multiple company or partner organizations. We recommend removing previously created plus-addressed accounts and assigning grants directly to the main account. Elements will provide access to multiple organizations without logging out and back in to switch contexts. All accessible organizations will appear in the scope selector after logging in with the primary email.

Note that Entra ID Federated SSO does not support plus addressing. Removing plus addressed user accounts enables federation of your email domain with Elements and allows Entra ID to serve as the primary identity provider for Elements Security Center.

Summary

A Solution Provider partner user can be granted EPP access to selected:

Service Provider organizations
Company organizations

The administrator can switch between permitted organizations using the scope selector. They may lack access to other organizations or have read-only access to all, with higher access to manage selected organizations.

A Service Partner user can be granted EPP access to selected company organizations

The administrator can switch between permitted companies using the scope selector. They may lack access to other companies or have read-only access to all, with higher access to manage selected companies.

A partner does not need a dedicated plus-addressed account when managing only the EPP aspect of company security while other aspects are managed by the company or WithSecure directly (e.g., XDR, WithSecure Infinite)

The administrator can switch to the partially managed company using the scope selector, even if the company lies outside the partner Solution Provider hierarchy. Logging out and in with different account is not required anymore.

Integrations

WithSecure API: New response actions to enable new workflows

We've added new response action endpoints under

POST /response-actions/v1/execute/<name>

to expand remote execution capabilities for both device and identity management.

This allows you to automate new workflows that involve acting on the target devices and identities.

This release increases the number of API supported response actions from 8 to 32.

Device response actions

The following device response actions are available:

Create full memory dump - Uploads a full memory dump from the device
Delete registry key or value - Deletes a specified Windows registry key or value
Delete scheduled task - Deletes a specified Windows scheduled task
Delete Windows service - Deletes a specified Windows service
Delete WMI persistence objects - Deletes Windows Management Instrumentation (WMI) persistence objects
Enumerate running processes - Enumerates running processes on the device
Enumerate WMI persistence mechanisms - Enumerates WMI persistence mechanisms, including event consumers, filters, and bindings
List file system structure - Lists the file system structure based on path matching patterns
List registry keys and values - Lists Windows registry keys and values based on path matching patterns
List scheduled tasks - Lists all Windows scheduled tasks on the device
Retrieve amcache files - Retrieves the application compatibility cache file from the device
Retrieve antivirus logs - Retrieves antivirus software log files for security analysis
Retrieve browser artifacts - Retrieves the browser history from the device
Retrieve event log tracing files - Retrieves .etl event log tracing files with records of system activities
Retrieve files from device - Retrieves files from the device based on path matching patterns
Retrieve jump list files - Retrieves jump lists stored in the AutomaticDestinations and CustomDestinations subfolders
Retrieve master boot record - Retrieves the master boot record (MBR) from a specified drive
Retrieve master file table - Retrieves the master file table (MFT) from a specified drive
Retrieve network connections - Retrieves network connections, routing tables, interface statistics, and related process information
Retrieve prefetch files - Retrieves Windows prefetch files with evidence of program execution
Retrieve process memory dump - Retrieves a memory dump of a specific process
Retrieve RDP cache files - Retrieves remote desktop protocol (RDP) bitmap cache files
Retrieve recently accessed files - Retrieves information about recently accessed files and folders from user activity artefacts
Retrieve registry hive files - Retrieves Windows registry hive files
Retrieve SRUM database - Retrieves the system resource usage monitor (SRUM) database
Retrieve Windows event log entries - Retrieves Windows event log entries based on specified filters
Retrieve Windows event log files - Retrieves Windows event log files
Terminate process - Terminates processes matching the specified patterns
Terminate thread - Terminates a thread

Identity response actions

The following identity response actions are available for Microsoft Entra:

Block user access in Microsoft Entra - Blocks access for a user to all resources inside the Microsoft Entra ecosystem
End Microsoft Entra session - Ends the Microsoft Entra session of a user
Reset Microsoft Entra password - Resets the Microsoft Entra password of a user

Response action results and attachments

Response actions are processed asynchronously: once triggered, you can monitor their progress.A new endpoint is available for retrieving the actual results of response actions that return data (for example, memory dumps or other files):

GET /response-actions/v1/responses/tasks

By using this endpoint, you can download any files or attachments produced by completed response actions. To determine when your action has finished, first poll the state via GET /response-actions/v1/responses. When the action is marked as finished, your attachments are ready for download from the tasks endpoint.

Start building

Full API documentation is available at Elements API Reference | WithSecure™ Connect

WithSecure Elements Connector

A new release of Elements Connector 25.44 for both Windows and Linux is now available.

This release includes the following changes:

Event forwarding:

Language option for forwarded eventsA new setting in the Elements Connector profile allows localization of forwarded event messages.
Support for Exposure Management (XM) eventsXM events are now supported, enhancing visibility into exposure-related data.

Vulnerability fixes:

Java 17 update to (17.0.15 → 17.0.17)Addressed vulnerabilities: CVE-2025-53066, CVE-2025-53057.
Spring Framework 6.2 update (6.2.3 → 6.2.11)Addressed vulnerabilities: CVE-2025-41248, CVE-2025-41249.

Other fixes and improvements

Early-access group supportElements Connector now correctly supports early-access group updates, aligning behavior with public channel versions.
Linux uninstallation FixFixed an issue where the update service was not properly removed during uninstallation on Linux systems

Other items of interest

Threat Advisory information

Docker Compose Path Traversal Vulnerability (CVE-2025-62725)

Technical Summary

A critical vulnerability in Docker Compose's handling of OCI-based artifacts allows attackers to perform path traversal and write arbitrary files to the host system. This flaw stems from improper validation of layer annotations in YAML files, which are widely used in CI/CD pipelines and development environments.
Attackers can exploit this flaw by tricking users into referencing a malicious remote artifact. This enables them to escape the Compose cache directory and write files anywhere the Compose process has permissions—potentially leading to full host compromise, data tampering, or privilege escalation.

Docker – runc Container Escape & Isolation Bypass

Technical Summary

runc is the low-level container runtime used by Docker, Kubernetes, and other platforms to spawn and manage containers. Recent vulnerabilities in runc may allow attackers to escape container boundaries and gain unauthorized access to the host system.
CVE‑2025‑31133 (CVSS 7.1): Exploits maskedPaths to bypass container filesystem isolation.
CVE‑2025‑52565 (CVSS 8.4): Race condition in /dev/console mount allows container escape and arbitrary file writes.
CVE‑2025‑52881 (CVSS 7.3): Bypasses Linux Security Modules (LSM) and enables arbitrary write gadgets, undermining host protections.
These vulnerabilities can lead to privilege escalation, host compromise, and data tampering, especially in multi-tenant or production environments.

Share your ideas with us

Our purpose is to co-secure the world with you – now as WithSecure™. To co-create the best possible cyber security products and services, we warmly recommend you share your ideas via the Ideas section of the WithSecure Community, now accessible directly from WithSecure™ Elements Security Center.

Further information

Changelogs and Release Notes for all parts of WithSecure™ Elements can be found at the WithSecure User Guides page.