49,000+ Access Management Systems Worldwide Configured With Massive Security Gaps

Dutch IT security consultancy Modat has uncovered alarming security vulnerabilities in approximately 49,000 access management systems (AMS) deployed worldwide. These systems, designed to control building access through authentication methods like passwords, biometrics, and multi-factor authentication, have been found to contain critical configuration errors that leave sensitive data exposed and facilities vulnerable to unauthorized entry. The […] The post 49,000+ Access Management Systems Worldwide Configured With Massive Security Gaps appeared first on Cyber Security News.

Mar 4, 2025 - 19:10
 0
49,000+ Access Management Systems Worldwide Configured With Massive Security Gaps

Dutch IT security consultancy Modat has uncovered alarming security vulnerabilities in approximately 49,000 access management systems (AMS) deployed worldwide.

These systems, designed to control building access through authentication methods like passwords, biometrics, and multi-factor authentication, have been found to contain critical configuration errors that leave sensitive data exposed and facilities vulnerable to unauthorized entry.

The discovery represents a significant global security threat spanning multiple sectors including healthcare, education, manufacturing, construction, oil industry, and government institutions.

Access management systems authenticate users through various methods and authorize access rights based on predetermined policies.

When improperly configured, these systems create dual threats: unauthorized physical access to buildings and unauthorized digital access to sensitive information stored within these systems.

Researchers at Heise Online discovered numerous cases where employee photographs, full names, identification numbers, access card details, biometric data, vehicle license plates, work schedules, and even facility access credentials were left completely unprotected and accessible to potential attackers.

The exposed biometric data presents a particularly concerning vulnerability, as this information cannot be changed once compromised, unlike passwords.

Security experts emphasize that such exposed data creates an expansive attack surface for various cyber threats including phishing campaigns, identity theft, social engineering attacks, and specialized fraud schemes designed to siphon additional sensitive information from organizations and individuals.

The geographic distribution of vulnerable systems shows concerning patterns with the highest concentration found in Europe, the United States, the Middle East, and North Africa.

The study identified Italy as the most affected country with 16,678 vulnerable systems, followed by Mexico (5,940) and Vietnam (5,035).

India ranked tenth with approximately 1,070 compromised systems. Notably, Germany was not among the top ten affected countries.

Vulnerability Analysis

Authentication protocols in affected systems reveal consistent misconfiguration patterns that create exploitable security gaps.

In typical secure implementations, access management systems should employ configuration code similar to: access_protocol.biometric_data.storage = "encrypted"; remote_access.public_endpoints = FALSE; authentication.credential_exposure = "restricted";

However, investigators discovered thousands of systems with default or improper settings that expose API endpoints and credential databases to unauthorized queries.

Connection requests to these vulnerable systems often return sensitive data in unencrypted format without proper authentication challenges, creating trivial exploitation vectors for even unsophisticated attackers.

Modification of just a few configuration parameters could remediate many of these vulnerabilities, but widespread misunderstanding of security best practices among system administrators has resulted in this global security gap.

Analysts deliberately avoids naming specific manufacturers or system models to prevent targeted attacks while affected organizations work to secure their infrastructure.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

The post 49,000+ Access Management Systems Worldwide Configured With Massive Security Gaps appeared first on Cyber Security News.