What’s New

The following features were introduced or enhanced in Privileged Access Manager - Self-Hosted version 12.6.


This version is designated as Long Term Support Customers who install this version will continue receiving security updates and critical bug fixes per our policy.

For more details, please review our End-of-Life policy.

Shared Technology Platform

Support Microsoft Windows 2019 for Privilege Access Management components deployed in the cloud

We are extending our current support which already exists for Privilege Access Management components deployed on premise to their counterpart images that are deployed in the cloud (AWS and Azure).

Telemetry tool enhancements offer increased visibility into password management

 A screenshot of a computer

Description automatically generated with medium confidence

New features and viewing options enable customers to gain better compliance visibility from CyberArk's Telemetry tool. Newly added password management policy-related attributes enable customers to analyze overall password security levels and gain actionable insights.

Newly added metrics include:

  • Platforms with periodic verify

  • Platforms with automatic reconcile

  • Platforms with periodic change


Continuous improvement of the compliance and security of the Vault

Windows Server 2019 Hardening revised to follow CIS standards

CIS guidelines are used by many organizations as security standards and best practices for defending IT systems.

Accordingly, Digital Vault hardening has been revised to align with Center for Internet Security (CIS) guidelines specifically designed for the standalone server of the Digital Vault.

The new hardening achieves over 90% compliance with the January 2022 CIS report and provides additional hardening guidelines that are not covered or not secured to the Vault standard by the CIS report.

PAKeygen to support 64bit pkcs11 library and HSM that requires PIN integration

Expanding the Vault's ability to integrate with a broader range of Hardware Security Modules (HSM), the PAKeyGen utility is upgraded to support the 64bit PKCS#11 library when generating server keys with HSM integration. Additionally, HSM vendors that utilize a Personal Identification Number (PIN) are also supported.

Password Vault Web Access

Simplified Safe Management user interface

Password Vault Web Access 12.2 introduced the new Safes view that aligns with the cleaner and more modern look and feel. In this version we expanded the new Safes interface to offer a wizard-led workflow that provides simplification and better visibility that will improve the process of managing safes.

The new Safes view in the PVWA replaces the classic interface and offers extended management capabilities to:

  • Create and edit Safes within a new flexible workflow supported by wizard-led steps

  • Easily assign members to Safes thanks to enhanced user filtering capabilities

  • Manage Safe members and permissions as part of the Safe creation and editing flow. Permissions are easier to manage thanks to predefined permission sets (Read only, Approver, Accounts manager, Full, Customized).

Change password - set the next password value

Customers may need to specify the next password that will be used by the CPM to update an account's credentials.

In such cases Vault administrators can, straight from the default PVWA UI, change the password in the Vault, which will be reconciled on the remote machine by the CPM during the next CPM process. Until now, this option was only available in the classic UI.

Certificate issuer validation to PKI/PKIPN Authentication

PKI enables the use of certificates for servers and users to identify each other and establish a secure connection. Certificates contain encryption values, or keys, that are used for encrypting and ensuring the integrity of messages sent between the two parties.

When a user logs on to the PVWA using the PKI/PKIPN authentication method, the user and the Server establish an SSL (Secure Socket Layer) connection. During the SSL handshake, the parties exchange certificates and check their validity. They also check that the other party’s certificate was issued by a trusted CA (Certification Authority).

In this version we enhanced the authentication to validate that the certificate being used by the end user was issued only by that specific issuer. This will enable administrators to configure which issuer is the valid issuer for the PKI/PKIPN authentication.


User Management and Account management are the key elements in the organization's onboarding automated processes.

This release includes several improvements in our REST API Web services specifically around these areas for easier automation and usage.

The following new APIs were added:

In addition, we enhanced the Get accounts REST API to filter the returned list according to a set of views. These Saved Filters enable the developer to display accounts according to predefined criteria based on account and operation status, such as Deleted, DisabledPasswordByCPM and ScheduledForReconcile. We now also return the DeletedTimestamp per each of the returned accounts that are deleted, with the time when the account was deleted.

Improved PVWA application logger

CyberArk introduced in V11.4 the new application logger of the PVWA that improved and simplified the troubleshooting process. In this version we will complete the migration and it will become the main logger of the PVWA that will replace two of the existing logs.

In addition, we are adding a new enhanced console log that will replace the old CyberArk.WebConsole.log console log.

These new logs will improve our logging capabilities by providing a clear log structure that enables faster troubleshooting and determines failures without the need to enable debug mode explicitly.

By the end of the year, we expect customers to complete their transition to the new application logger and therefore, the CyberArk.WebConsole.log, CyberArk.WebApplication.log and CyberArk.WebSession<sessionId>.log log files will be disabled by default on clean installations and upgrades of upcoming versions.

Central Policy Manager

AWS STS Connector

The Amazon Web Services Console is the main interface users leverage to make administrative changes to AWS services. This powerful tool is a prime target for abuse by attackers. It is critical that organizations secure AWS console access, ensuring that only appropriate users have access and only to the services required for their job function. The AWS recommended best practice for privileged console access is to restrict traffic to specific workstations, but this can be a challenge in large organizations.

We are happy to introduce a new Amazon Web Services (AWS) Console with STS for connecting via AWS STS that will replace our previous plugin and, based on the Web applications for PSM framework, is supported over Chrome and Internet Explorer.

This integration allows organizations to fully isolate and monitor AWS console sessions using Amazon Secure Token Service (STS), which provides temporary credentials.

To learn more, see AWS Cloud Services Management.

Privileged Session Manager

Taking access enforcement to the next level and improving the compliance control of the PSM path to the critical assets of the organization.

Network-based access control to ad hoc connections

With the changing of office perimeters and employees no longer being office-bound and on the go, it is essential to have better enforcement of their access to the organization's resources and to be able to apply compliance and access regulations globally.

In this version, customers can now apply subnet-based rules to control the access of end users to specific targets based on their location.

Rules may be created on an allowlist or denylist approach, depending on the organization's settings.

Dual Control timeframe enforcement on ongoing PSM sessions

Controlling the timeframe for end users' access to the organization's assets is important from an accountability and compliance perspective.

In this version, we've added the option to enforce the Dual Control request's timeframe that is associated with the session and trigger a session termination once that timeframe reaches its end.

PSM registration flexibility

When a new PSM instance is being registered to the Vault during the Registration stage of the installation, its IP address is being written in the PSM server connection data in the configuration options. In this release we have added the option to register PSM with its DNS name (FQDN), which provides flexibility in dynamically changing networks and makes it easier to secure the PSM connectivity with SSL certificates.

This option is toggled by a new parameter in the Registration stage configuration and is not available when installing PSM via the installation wizard.

Privileged Session Manager for SSH

Continuous improvement of the compliance and security offering of SSH based sessions

Enhanced auditing for file transfer sessions

We are increasing the compliance coverage of SFTP session recordings by adding audit capabilities and including user activities as well as file information in the monitoring page.

SSH tunneling in PSM for SSH integrated mode

PSM for SSH enables authorized users to initiate and use an SSH tunnel to access a target SSH server, while providing start/end tunnel session audit capabilities. Through this tunnel, users can launch GUI applications such as Web or SQL from their workstation, maintaining their existing workflow.

Using PSM for SSH, Security Managers can control access by determining which users can access different target systems. 

In this version, PSM for SSH’s Integrated Mode provides the flexibility to configure SSH tunneling for specific systems, according to the access and security needs of the organization.

Privileged Threat Analytics

Simplified installation and upgrade

With today's high frequency of security vulnerabilities in various platforms and applications, it is important to give customers full control and alignment over package versioning and updates without requiring a PTA patch.

Starting this version, PTA installation and upgrade processes will only include updates for the following third parties:

  • apache-activemq

  • apache-tomcat

  • mongodb

  • mongodb_exporter

  • monit

  • node_exporter

  • Prometheus

  • Pushgateway

  • Azul Zulu OpenJDK

This will enable customers to react fast in case of a published vulnerability related to the packages that are no longer part of the PTA installation process.

The rest of the packages that used to be part of PTA installation and upgrade will be considered as prerequisites and their installation will be verified by the PTA before starting the installation and upgrade process.

When PTA is deployed from the disk image, the installation will still include all third-party packages. However, following the initial deployment and moving forward, customers should manage any future updates and security patches of these third party packages.

Version 12.6 is the last version that supports PTA installation as an image from disk. Beginning with the next version, CyberArk will no longer provide PTA as an image from disk.

MongoDB version upgrade

The embedded MongoDB version used by PTA has been upgraded from version 3.6 to version 4.4.

Sensor connectivity indication on system health page

Improving on the visibility of PTA's health, in this version the system health page has been extended with information about the last time each sensor has last communicated with the PTA.

Cross-site request forgery (CSRF) Protection

The CSRF vulnerability is related to browser behavior. It uses existing session parameters to any request to same site, which enables an attacker to forge a modifying request and manipulate the user to trigger it.

With CSRF protection, each request holds a CSRF token that is unique to the current user session, which makes it impossible to forge a generic request.

In this version, we've added CSRF protection on the PTA classic UI.

Risky commands expansion to Google Cloud commands

The current default list of risky command has been extended to include commands that are relevant for Google Cloud.

Unmanaged Privileged Access (UPA) exclude list

Starting this version we are providing customers with the flexibility to exclude certain usernames which they find as irrelevant for the process of unmanaged privileged users detection.

Security Enhancements

TLS 1.2 Support

  • CPM

    CPM supports the use of TLS 1.2 for incoming connections to the CPM and outgoing connections to targets. It is a security best practice to disable TLS 1.0 and 1.1 to ensure the use of the higher level encryption protocol.

    Starting from this version, we will disable TLS 1.0 and 1.1 on the CPM server by default as part of CPM hardening. Customers who would like to use previous TLS versions can configure the system to allow these versions after the hardening phase is completed, or exclude this step from the hardening phase in advance. See Updates IIS SSL/TLS settings for more information.

  • PAM - Self-Hosted on cloud - Vault integration with Azure Key Vault

    Microsoft has announced the deprecation of TLS 1.0 and TLS 1.1 starting May 31, 2022 when integrating with the Azure Key Vault service.

    Since CyberArk Azure images integrate with Azure Key Vault to protect the server key, Cyberark Vault images have been accordingly updated to support TLS 1.2 for .NET Framework. 

  • PTA - TLS 1.2 enforcement during installation

    Following security best practices, starting this version new deployments of PTA will use TLS 1.2-based communication by default for incoming syslog ports.

    Customers can change this configuration either during the installation process or manually through the system properties file.

    This change is not applicable for existing deployments, although we strongly recommend that customers update manually and start using TLS 1.2 if they haven't done so by now.

PVWA internal components upgrade

Internal components were upgraded to enhance security and make technological improvements to the operating system and third-party components for the PVWA Server. The PVWA hardening process was updated accordingly.