CVE fix guidance, endpoint insights, and dashboard trends
New
- The free CVE lookup tool now shows how to fix each vulnerability: the version to upgrade to for affected applications and Linux distributions, the exact security update to install for affected Windows editions and core Microsoft products (Office, Exchange Server, SharePoint, and SQL Server), and the version to update to for affected Apple platforms (macOS, iOS, iPadOS, and more), each linked to the vendor or distribution security advisory it comes from. When no published fix has been found yet, the page says so plainly instead of guessing.
- Settings > Client now lets you hide the TridentStack Control tray icon on endpoints. The agent keeps running and managing the device in the background; only the tray icon and the window users can open are hidden. Applies to Windows and macOS.
- A new Windows update management choice in Settings > Client lets you keep TridentStack Control in sole control of Windows updates (recommended), or switch to a hybrid mode where Windows can also install updates on its own alongside TridentStack Control.
- Settings > Client now lets you control whether endpoints show a restart prompt before a managed restart. Turn it off for unattended endpoints that should restart silently after updates finish.
- The security dashboard now charts Open Vulnerabilities by Severity over time, plotting your total, critical, high, medium, and low open vulnerabilities as separate color-coded lines across the selected window, so you can see at a glance whether your exposure is trending up or down.
- On the dashboard, clicking a slice (or legend entry) of the Vulnerability Severity breakdown now opens the full vulnerability list filtered to that severity, so you can jump straight from the overview to the affected CVEs.
- The free CVE lookup tool now has an About page that explains what the tool is, defines the key terms (CVE, CVSS, EPSS, and CISA KEV), and shows exactly where every CVE record and fix comes from, the license behind each source, and how much of the catalog has an available fix. It is linked from the CVE tool and the site footer.
- Endpoints list: new Compliance % column showing each endpoint's overall framework compliance.
- Endpoints list: new Last Deployment column showing each endpoint's most recent update deployment result.
- Admins can set a default column layout for each table that new users inherit automatically.
Improved
- Saved table views: click the star on any column preset to make it your default; your default now follows you across devices.
- The free CVE lookup is now a dedicated, full-screen tool that mirrors the experience inside TridentStack Control. It scrolls as a single focused view with no competing scrollbars, adds a Fix column you can filter and sort by to surface vulnerabilities that have an available fix, and expanding any CVE now shows the same rich detail layout (CVSS breakdown, exploit intelligence, references) and a "Remediation Available" panel with the exact fixed versions to upgrade to, each linked to its vendor or distribution advisory.
- The free CVE lookup tool now works well on phones: the catalog shows tappable cards (severity, CVSS, exploit-prediction, exploited status, and fix availability at a glance) with a sort control, instead of a wide table you had to scroll sideways. Tapping a card opens the same full CVE detail inline. The desktop table view is unchanged.
- The free CVE lookup tool now gives actionable guidance for vulnerabilities that have no published fix yet, instead of a dead end: it flags end-of-life products that should be taken offline, shows the official CISA remediation action and due date for actively-exploited vulnerabilities awaiting a patch, and points to the relevant vendor advisories.
- The free CVE lookup tool now covers open-source software dependencies: vulnerabilities in npm, PyPI (Python), Go, Maven (Java), RubyGems, crates.io (Rust), NuGet (.NET), and Packagist (PHP) packages now show the package version to upgrade to, each linked to its source advisory.
- The free CVE lookup tool now shows Red Hat's official guidance when available: which products Red Hat has decided not to patch, and the recommended mitigation steps, linked to Red Hat's advisory.
- The free CVE lookup tool now flags when a fix lands on a Linux distribution release that has reached end-of-life (such as older Ubuntu, Debian, or Red Hat releases), including whether extended security maintenance is still available, so you know to plan an upgrade rather than rely on an unsupported platform.
- On the free CVE lookup tool, each CVE's reference links are now grouped by type (patch, vendor advisory, exploit, third-party advisory, and more), so you can jump straight to the official fix or advisory instead of scanning a flat list. CVE pages that have an available fix now also highlight that in the page title and search-result preview.
- The free CVE lookup tool now lets you browse vulnerabilities by weakness type (such as Cross-Site Scripting, SQL Injection, or Use After Free) and adds a dedicated page for actively-exploited (CISA KEV) vulnerabilities. Each view ranks the CVEs by exploitability and shows the fixes available, so you can quickly find every vulnerability of a given kind or every one that is being exploited.
- The free CVE lookup tool now offers subscribable feeds, in both RSS and JSON, for recently-added CVEs, newly-added actively-exploited (CISA KEV) vulnerabilities, and the highest-risk vulnerabilities. Follow them from your feed reader or wire them into your own tooling to track new threats as they appear.
- The free CVE lookup tool now has a live statistics page showing the size of the vulnerability catalog, how many CVEs have an available fix, the breakdown by severity and year, and the most common weakness types. Every CVE page also now offers an embeddable status badge you can add to a README, security advisory, or site, showing the CVE's severity and exploited status at a glance.
- The free CVE lookup tool now shows a fix for tens of thousands more vulnerabilities, roughly doubling its remediation coverage, by deriving the fixed version from the affected-version data published with each CVE (clearly marked as derived). This is especially impactful for actively-exploited vulnerabilities, many of which now show a concrete version to upgrade to. A vendor-stated fix, when one exists, is always shown in preference.
- The page for tracking in-progress deployment rollouts is now labeled "Rollout Status" in the navigation (previously "Rollouts"), making it clearer at a glance what the page is for.
- Endpoints list: new Applicable Updates column (combined system + app updates) and a shorter Sys Updates label.
- Remediate a vulnerability on a single endpoint even when no update policy covers the fix. The Remediate dialog now offers a one-off install, clearly marked as outside policy, showing the exact app or update and target version. Works for both application updates and Windows system updates where the fix applies.
Fixed
- Fixed an issue where a Windows update intended only for Windows client editions could be offered to a Windows Server endpoint that shares an underlying version, where it would fail to install. These updates are no longer offered to servers they do not apply to, and Server cumulative updates continue to install normally.
- Fixed an issue where a long-running Windows feature update (such as Windows 10 to Windows 11) could be reported as timed out, and stop short of completing, when its preparation stage ran longer than expected and the endpoint briefly stopped reporting in. These upgrades are now given the full time they need to finish and report their real result.
- Fixed a case where a leftover status check from an earlier feature-update attempt on an endpoint could cause a later, unrelated feature update on that same endpoint to be misreported as failed or stuck awaiting a restart. Feature update results are now tracked accurately for each attempt.
- Fixed a case where a Windows feature update (such as Windows 10 to Windows 11) that finished its lengthy preparation stage while the endpoint was briefly offline could stall and never finish, because the endpoint's "preparation complete" report was lost. The endpoint now re-sends that report as soon as it reconnects, so the update resumes and completes on its own.
- Fixed an issue where, after a Windows feature update (such as Windows 10 to Windows 11) finished installing and the endpoint restarted, the TridentStack Control app on that endpoint could keep showing a "Finalizing Windows upgrade..." status indefinitely even though the update was already complete. The status now clears on its own once the update finishes.
- Fixed the deployment ring status shown on an endpoint's update list so it reflects the real maintenance-window state. A ring on a set schedule (for example, Thursday nights) no longer appears to be actively deploying around the clock; outside its window it now shows when the next window opens, and it only shows as active while its window is genuinely open.
- Fixed an issue where a phased Windows feature update rollout (for example, Windows 10 to Windows 11) could halt for an entire deployment ring when just one endpoint was safely skipped by a pre-flight readiness check, such as not enough free disk space, hardware that does not meet the upgrade's requirements, or a prerequisite update not yet installed. Those endpoints are now treated as safely skipped rather than failed, are retried automatically on the ring's next window once they are ready, and no longer hold up the upgrade for the rest of the ring.
- Fixed an issue where a deployment ring that automatically halted (after too many endpoints failed) would not send its halt alert, so the auto-halt could go unnoticed. These alerts, including the list of endpoints that triggered the halt, are now delivered reliably.
- Fixed search on the Agent Tags page: typing in the tag search box returned no results even when matching tags existed. Searching your tags by name now works as expected.
- Fixed endpoint search on the Endpoints list: results could briefly appear and then disappear as the list refreshed, and search only looked at endpoints already loaded on the page. Searching now covers your entire fleet (by hostname, IP address, operating system, user, agent version, update policy, or tag), stays stable while the list auto-refreshes, and "Select All" while searching selects every matching endpoint.
- Fixed an issue where some administrators could not share a saved table view with their team, or set a team-wide default column layout, even though they had the necessary settings permission. These actions now work for any administrator with settings access.
- Fixed an issue where an endpoint with no application update policy assigned could still show pending application updates (and offer to remediate a vulnerability as though a policy already covered it). Endpoints without an application policy now correctly show no pending application updates, and the count is kept accurate automatically if a policy is later removed or deactivated.
- Fixed an issue where applying several automation rules in a row (the rules that automatically tag your endpoints) could start failing with a generic "Failed to apply rule" error after only a few, even though nothing was wrong. You can now apply all of your automation rules in one pass, and in the rare case a temporary limit is reached, the message clearly asks you to wait a moment and try again instead of looking like a broken button.
- Fixed an issue where a vulnerability in an endpoint's list could keep showing an application's old name (with an outdated version number baked into the name) even after the application had been updated, making the row appear to list two different versions. The product name shown for a vulnerability now refreshes on the next scan to match the currently installed software.
- Fixed an issue where an endpoint with no system update policy assigned could still show a system update policy, and pending system updates, as though one were assigned. System update policies now apply to endpoints only through tags, exactly like application update policies; an endpoint with no policy tag now correctly shows "None assigned" and no pending system updates. The count is kept accurate automatically if a policy is later removed or deactivated. (Linux endpoints are unaffected.)