Extended Detection and Response
Endpoint Protection
WithSecure Elements Agent for Windows and Server
A new version of the endpoint clients is available, and this release makes the Elements Agent version 25.4 available (internal version 25.4.231).
The endpoints automatically upgrade, without a reboot.
This release introduces new features (with Profile Editor Update) and fixes.
Features:
User-modified settings reporting:
- Agent now reports user-modified settings to the portal.These settings can be reset to profile values remotely via the portal UI.
Additional host information is now reported to the portal:
- Agent reports the current Elements Connector address used by software updater.
- Agent reports the current definition updates source address.
Improved agent UI:
- The agent UI now provides clearer indications when protection is turned off.
WithSecure Elements Agent macOS
WithSecure Elements Agent macOS 25.4.54641 has been released to general availability (GA) on 24th of September 2025.
This release brings
- Updated sensor version 25.1
- macOS 26 (Tahoe) support
Installer can be downloaded from here.
Elements Agent macOS 25.4.54641 supports following macOS versions:
- macOS 26 Tahoe
- macOS 15 Sequoia
- macOS 14 Sonoma
Exposure Management
Luminen Enhancements
We’ve enhanced Luminen, our LLM-powered helper, to deliver clearer and more relevant descriptions for recommendations by taking into account organization-specific findings. All of this is done in a privacy-protected manner, ensuring that your data remains secure while making recommendations easier to understand and act upon. There is a possibility to switch from generic recommendations to organization specific and back.
Finding Details page
We’ve also enhanced the Findings details page with AI-generated CVE descriptions for vulnerabilities that appear in XM Recommendations. This update provides clearer, more contextual insights into CVEs, helping security teams better understand the nature and impact of vulnerabilities without needing to cross-reference external sources.
Enhancements to identity features
- Identity information has been enriched with Entra ID role information (visible in the Identity details flyout). Information is provided separately for privileged and non-privileged roles.
- New column “Last login device” is now available in the Identities table showing the information to which device Identity has logged in. In case customer has EPP license, there is also a link to the given device. Information about time of the login is available in the Identity’s details flyout.
Exposure executive summary report
This report is now available in My Reports
Summary report can be scheduled for being emailed like any other My Report templates via "Emails notifications and reports" tab under Reports menu
Shareable Views
Threat Intelligence visibility
Threat intel CISA KEV information of CVEs are now visible on the UI if the CVE is known for having a public campaign
Exposure Management for Business
System Scan
Support for detecting vulnerabilities in the following products was added to Authenticated Scanning for Windows:
- Atlassian Jira Service Management (previously known as Jira Service Desk)
- CCleaner
- Greenshot
- HP Security Manager
- Poly Lens Desktop
- Seagate Toolkit
Support for detecting vulnerabilities in the following products was added to Authenticated Scanning:
- Apache DolphinScheduler
- Apache Fory
- Apache Kafka
- Apache Kafka Connect API
- Apache Kafka Connect Runtime
- Apache Seata
Elements Foundations
Integrations
Elements API: New Remote Operation: scanForUpdates
We've added a new remote operation that allows you to scan for available software updates on target devices.
What it does:
- Remotely triggers a scan for available software updates on selected devices
- Works on computer-type devices only
- Requires no additional parameters - simply specify the target devices
This complements the existing installSoftwareUpdates operation by providing a way to check what updates are available before deciding whether to install them.
Read more from the Elements API specification page and look for the POST /devices/v1/operations endpoint.
Elements API: New remote operation: Install Software Updates
The installSoftwareUpdate remote operation is now available in the WithSecure™ Elements API. This operation allows you to remotely install software updates on your managed devices.
Features
- Install updates by severity level (critical, important, or everything)
- Install specific updates using bulletin IDs
- Target individual devices or device groups
- Option to force close applications during updates
This remote operation is supported for the "computer" device type only.
Read more from the Elements API specification page and look for the POST /devices/v1/operations endpoint.
Other items of interest
Threat Advisory:Citrix NetScaler
CVE-2025-7775 – Remote Code Execution (RCE) Vulnerability
Technical Summary
- On August 26, 2025, Shadowserver reported that over 28,000 Citrix NetScaler instances remained unpatched against CVE-2025-7775, a critical RCE vulnerability.
- The vulnerability allows unauthenticated attackers to execute arbitrary code remotely on affected appliances. Exploitation in the wild has been confirmed by its inclusion in the CISA KEV (Known Exploited Vulnerabilities) list [1].
- Germany was identified as one of the top affected countries, alongside the United States, indicating widespread risk among European enterprise environments.
- Unpatched systems are actively being scanned and targeted.
NEW: WithSecure Elements: Customer onboarding welcome email flow
We’re excited to announce that the Customer Onboarding Welcome Email Flow is now live in production!
Newly onboarded customers and partners purchasing a product for the first time will automatically receive onboarding emails. This applies to both company-managed and partner-managed scenarios.
What’s Included in the Flow
- Welcome to Elements, Getting started guidance
- “Have you logged into Elements Security Center?” reminder
- Useful resources for using WithSecure Elements
Email 1: Welcome to Elements, Getting started guidance
This mail is sent immediately after the purchase is registered in our system.
Email 2: “Have you logged into Elements Security Center?” reminder
This mail is sent two days after the purchase is made.
Email 3: Useful resources for using WithSecure Elements
This mail is sent 9 days after the purchase is made.
In case you missed it
Elements Role Assignments changes - 15 December 2025
Last year, we announced that we are making changes to how user roles are assigned in WithSecure Elements. You can read more about the next steps in our dedicated article.
Retirement of Vulnerability Management Users settings
We will be retiring the settings page for organizing Vulnerability Users by the end of 2025, with management of these being moved to a more central “Elements-Wide” location.
You can find out more in this dedicated article.
Share your ideas with us
Our purpose is to co-secure the world with you – now as WithSecure™. To co-create the best possible cyber security products and services, we warmly recommend you share your ideas via the Ideas section of the WithSecure Community, now accessible directly from WithSecure™ Elements Security Center.
Further information
Changelogs and Release Notes for all parts of WithSecure™ Elements can be found at the Help Center