Vast numbers of misconfigured Access Management Systems (AMS) across the globe are exposed to the public Internet, researchers from Internet Index Search Solution provider Modat have revealed.
The vulnerabilities, which span a wide range of industries—including critical sectors like construction, healthcare, oil, and government—have exposed hundreds of thousands of sensitive employee records, including personal identification details, biometric data, and even work schedules.
Routine Assessment Reveals Global Security Crisis
In early 2025, the Modat research team embarked on what they thought would be a routine investigation. Using the Modat Magnify tool, they scanned the global security landscape and unearthed something disconcerting: an unusual pattern of exposed access management interfaces worldwide.
Delving deeper, Modat researchers realized the extent of the issue. Many of these systems weren’t just exposed to the public Internet but actively revealed vast swathes of sensitive information, including personal identification details, biometric information, employee photographs, work schedules, and access logs.
Exposed Data Fuels Exploitation Risks
In some cases, AMSs exposed all available information about employees and the departments to which they belonged.
Modat notes that attackers could use this data to impersonate employees, gain unauthorized access to restricted buildings, or commit identity theft. In one extreme case, attackers could edit employee records, including changing profile pictures, allowing someone to gain physical access to a building using fake credentials.
Another exposed AMS system allowed attackers to manipulate access control settings. These systems tracked which employees entered specific buildings or floors, making it possible to monitor movement patterns. In some cases, attackers could even modify access privileges.
One vehicle access control system even allowed attackers to whitelist or blacklist specific license plates and monitor vehicle movements in and out of a facility. This could enable unauthorized vehicles to bypass security checkpoints in highly sensitive environments, such as government buildings.
Analysis of Exposed Systems: A Country-by-Country Breakdown
Italy was by far the most vulnerable country, with 16,678 exposed systems, followed by Mexico with 5490 and Vietnam with 5035. Considering its size, the United States had relatively low levels of exposure (1966 systems), as did Canada (1040) and Japan (487). Europe presented a relatively mixed picture: Spain reported 1151 exposed systems, France 517, and The Netherlands just 147.
The key takeaway from these findings is that even countries with strong data protection regulations – namely, those that fall under GDPR’s jurisdiction – are not exempt from significant security vulnerabilities. In fact, based on these findings alone, GDPR seems to have no impact at all.
Source: https://www.modat.io/post/doors-wide-open-critical-risks-in-ams
Next Steps for Exposed Organizations
Modat privately contacted exposed system owners and organizations and provided them with detailed reports outlining their vulnerabilities. For any other organizations that may fear they have similar vulnerabilities, Modat recommends:
- Restricting internet exposure by placing AMS behind firewalls or VPNs.
- Changing default credentials immediately to prevent unauthorized access.
- Enabling encryption to protect sensitive employee and biometric data.
- Applying regular security updates and patches to fix known vulnerabilities.
- Monitoring access logs to detect suspicious activity.
Soufian El Yadmani, CEO of Modat, argues that connection to the open Internet is the core of the issue. He recommends that organizations add basic layers of protection, like VPNs and segmentation. “These are basic security controls,” he said, “in most of the research that we conduct, we see that basic protection is missing. Most systems like this are not designed to be unprotected on the internet. Vendors do advise to shield them by other means of protection.”
El Yadmani also argues that organizations should “focus on implementing basic security for all IoT, OT, and IT systems” while continuously monitoring which systems are connected to the Internet and, crucially, if they are configured to the latest security standards and well-managed. “This should also include 3rd party systems as well as your physical access systems,” he said.
Josh is a Content writer at Bora. He graduated with a degree in Journalism in 2021 and has a background in cybersecurity PR. He's written on a wide range of topics, from AI to Zero Trust, and is particularly interested in the impacts of cybersecurity on the wider economy.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.