Version 2.0.2.8
Latest ReleaseRelease Date: February 24, 2026
What's New in This Release
Version 2.0.2.8 delivers targeted bug fixes improving data accuracy for Windows environments and strengthens pre-flight connectivity checks for Splunk deployments. This release also upgrades the bundled OpenSSL library to version 3.5.4, resolving three security vulnerabilities (CVE-2025-9230, CVE-2025-9231, CVE-2025-9232).
🐛 Bug Fixes
Fixed: Windows Observer OS Fields All Reporting Same Kernel Build Number
Issue: On Windows, four distinct observer fields all reported the same raw kernel build string instead of their semantically correct values:
- •
observer.kernel_version— full Windows build string (e.g.,10.0.17763.8280 Build 17763.8280) - •
observer.os.kernel— short kernel identifier (e.g.,17763.8280) - •
observer.os.version— OS display version (e.g.,10.0.17763.8280) - •
observer.platform_version— platform-level version string
Resolution: Windows version string parsing was updated to extract and assign distinct values to each field from the PlatformVersion component. Linux and macOS paths were unaffected.
Fixed: Windows Active Directory Domain Not Populated in observer.domain
Issue: On domain-joined Windows machines, observer.domain was not populated with the Active Directory domain. Instead, it only contained the DNS suffix parsed from the hostname, causing incorrect asset correlation in enterprise environments.
Resolution: The scanner now retrieves the AD domain from the Windows registry and populates both observer.domain and observer.organization correctly. The same values are mirrored to tychon.host.domain and tychon.host.organization for downstream compatibility.
Impact: Affects all domain-joined Windows endpoints. Asset grouping, compliance reporting, and SIEM correlation by domain will now reflect the correct AD domain name.
Fixed: Machine Serial Number Registry Error on VMs and Cloud Instances
Issue: Windows scans on virtual machines (VMware, Hyper-V) and cloud instances (AWS, Azure) failed to retrieve observer.machine_serial_number, logging:
Failed to get system serial number from registry: cannot find file
Resolution: Serial number retrieval now falls back through multiple registry paths and WMI queries when the primary registry key is absent. The scanner now successfully populates both observer.machine_serial_number and observer.bios_serial_number across bare metal, VM, and cloud environments.
Impact: Unique device identification and asset correlation now work correctly across all Windows deployment types including cloud-hosted endpoints.
Fixed: No Splunk Connectivity Check Before Scan Begins
Issue: When using -posttosplunk, the scanner did not verify Splunk connectivity before starting the scan. Users would complete a full scan — which can take minutes to hours — only to discover at the end that Splunk was unreachable.
Resolution: The scanner now performs a pre-flight connectivity check to the configured Splunk HEC endpoint before initiating the scan. If Splunk is unreachable, the scan exits immediately with a clear error message rather than wasting time on a scan whose results cannot be delivered.
Benefits: Eliminates wasted scan time on unreachable Splunk targets, provides immediate actionable error feedback, and improves reliability of automated deployment pipelines using Splunk integration.
🛡️ Security Enhancements
OpenSSL Upgraded to 3.5.4
The bundled OpenSSL library has been upgraded from the previous version to 3.5.4, resolving three security vulnerabilities disclosed in the September 30, 2025 OpenSSL Security Release.
Out-of-Bounds Read & Write in RFC 3211 KEK Unwrap
A memory safety vulnerability in the RFC 3211 Key Encryption Key (KEK) unwrapping operation could allow an attacker to trigger out-of-bounds memory access when processing a malformed wrapped key. Affects all supported OpenSSL branches.
Timing Side-Channel in SM2 Algorithm on 64-Bit ARM
A timing side-channel vulnerability in the SM2 elliptic curve implementation on 64-bit ARM processors could allow an attacker with local access to recover private key material through timing analysis. Affects OpenSSL 3.2 and later on ARM64 platforms.
Out-of-Bounds Read in HTTP Client no_proxy Handling
An out-of-bounds read in the HTTP client's no_proxy environment variable parsing could be triggered by a malformed proxy exclusion list. Affects OpenSSL 3.0 and later.
Action Required: All deployments should upgrade to version 2.0.2.8 to receive the patched OpenSSL 3.5.4 library. No configuration changes are required.
🔧 Improvements & Enhancements
-
•
Accurate Windows Asset Identification: Observer OS fields now carry semantically distinct values on Windows, enabling correct version-based filtering and compliance checks in SIEM platforms.
-
•
Improved Enterprise Domain Correlation: AD domain population fixes allow Elasticsearch and Splunk dashboards to correctly group Windows assets by organizational unit and domain.
-
•
Reliable VM and Cloud Asset Tracking: Serial number fallback logic ensures consistent unique device IDs across bare metal, VMware, Hyper-V, AWS, and Azure endpoints.
-
•
Faster Splunk Deployment Feedback: Pre-flight connectivity verification surfaces Splunk configuration errors immediately, reducing mean time to resolution for integration issues.
Upgrade Notes
-
•
OpenSSL CVE Remediation: Upgrade is strongly recommended for all production deployments due to the three CVEs resolved in OpenSSL 3.5.4.
-
•
No Breaking Changes: All fixes are behavioral corrections for incorrect data. Output schema and field names are unchanged.
-
•
Windows Domain Fields: Deployments relying on
observer.domainfor domain-based filtering should re-baseline dashboards and alerts — the field will now contain the correct AD domain rather than a DNS suffix. -
•
Splunk Pre-Flight Check: Deployments using
-posttosplunkwith automated pipelines should ensure Splunk HEC is reachable before invoking the scanner, as the scanner will now exit early rather than proceeding when connectivity fails.