BeyondInsight and Password Safe 25.1.1.165 (On-Premises only)
19 days ago
This update is for On-Premises customers only. Fixes have been automatically applied to all 25.1 Password Safe Cloud deployments.
August 5, 2025
Note
For a list of supported platforms for the latest version of BeyondInsight and Password Safe, see Supported Platforms.
🆕 New features
This is a maintenance release. There are no new features.
✨ Enhancements
This is a maintenance release. There are no new enhancements.
🛠️ Issues resolved
| Product Area | Description | Resolution |
|---|---|---|
| Endpoint Privilege Management | When an EPM agent checks-in, the IP Address for the corresponding Managed System may get reset to 127.0.0.1 | Resolved. If the EPM agent provides a loopback/127.0.0.1 IP Address, it is ignored by Password Safe. |
| RDP Sessions | RDP sessions using multiple monitors may encounter an error during session initialization. | Resolved. RDP sessions with multiple monitors now function as expected. |
| Workforce Passwords Browser Extension | Updating a credential via the browser extension reports successful, however the credential is not updated. | Resolved. Updates to credentials made from the browser extension are saved properly. |
| Public API | Attempting to retrieve a large number of secrets via the GET Secrets-Safe/Secrets API can fail with a timeout. | Resolved. Increased the default client timeout. |
| Reporting | When the Password Safe Password And Session Activity report is exported as a CSV, some cells may incorrectly contain line breaks, which causes a row to be split into two incomplete rows. | Resolved. Line breaks from the Reason field are automatically removed. |
| Directory Credentials | When using a directory credential with a username formatted as a UPN, directory queries using this credential do not work as expected. | Resolved. Directory credentials with UPN usernames are now properly handled. |
| SCIM API | When making a call to retrieve PrivilegedData from the SCIM API, the returned values have the properties defined as Name, Description, and Type. As per the schema, these properties should be all lower case. | Resolved. The json properties are now all in lower case. |
| SAML | SAML login ignores the Enable Group Resync configuration option when user mapping is set to Local and always resyncs the local groups. | Resolved. Groups will no longer be resynced if the Enable Group Resync option is disabled. |
| SAML | When using a SAML configuration that uses Active Directory as the mapping type, if an Active Directory user gets created during a SAML login, that user is missing several user attributes. This includes the domain, email and first/last name, and can cause issues with mapping or attempting to remove the user. | Resolved. All attribute data is now populated during SAML login. |
| Propagation Actions | When trying to run a script propagation action on a managed system that uses a custom port, the propagation action fails. | Resolved. The port setting on the managed system is now properly handled during propagation actions. |
| Reporting | The Active Users report only returns records with users that have been active within the last few months. The value in the parameter Used In X Days is not respected. | Resolved. The Used In X Days report parameter is properly applied. |
| Event Forwarding | When using a connector that uses the syslog format, the event severity in the priority field is the inverse of what’s expected for syslog events. | Resolved. Syslog events are now sent with the correct severity. |
| Public API | When creating a new Active Directory user via the POST Users AP, the Disable forms login for new directory accounts configuration setting is ignored. | Resolved. When creating new Active Directory users, the Disable forms login setting is properly applied. |
| Functional Accounts | Local functional accounts on managed systems that have a DNS Name containing a period (.) are not properly tested via the Password Test Agent. | Resolved. Local functional accounts are now tested properly. |
| Database Upgrade | In some scenarios, the upgrade to 25.1.0 could fail during the database upgrade if an asset is associated with invalid IP Address data. | Resolved. The invalid IP Address data is adjusted to the latest data or reset if none exists. |
| Mobile App / Secrets Safe | Secrets are not being properly returned to the mobile app from Secrets Safe personal folders when the user is a member of the Administrators group. | Resolved. Users who are members of the Administrators group can now access secrets found in their personal folders. |
| Mobile App | An authentication error occurs when attempting to login via the Mobile App using an Active Directory or LDAP user account. | Resolved. Active Directory and LDAP users can now successfully login via the Mobile App. |
📝 Requirements
- Direct upgrades to 25.1.1 are supported from BeyondInsight versions 23.1 or later releases.
- BeyondInsight 25.1.1 supports SQL Server 2016 SP2 or higher.
🗒️ Notes
- This release is available by download for BeyondTrust customers (https://beyondtrustcorp.service-now.com/csm) and by using the BeyondTrust BT Updater.
- The MD5 signature is: cf9b9d17c1b9c8a7831d2da2c8707991
- The SHA-1 signature is: b62b975d76139426f68ab01f5cec037aa236eb9c
- The SHA-256 signature is: b4b414a8e997caf55c674a8bdee111a95d4dae277cec79af3b63e89ef1a6ec3e
