A security investigation by Modat has identified more than 49,000 misconfigured Access Management Systems (AMS) exposed online, affecting multiple industries and geographic regions. The vulnerabilities in these systems pose risks to both physical security and employee privacy, particularly in sectors such as construction, healthcare, education, manufacturing, government, and the oil industry.
AMS are used to control access to buildings and restricted areas through technologies such as biometric authentication, ID card verification, and license plate recognition. However, researchers found that many of these systems were accessible without authentication due to improper configuration. This exposure has resulted in publicly accessible sensitive employee data, including identification details, biometric records, photographs, work schedules, and access logs.
The research, conducted using Modat’s Magnify platform, mapped a high concentration of exposed AMS systems in specific regions. Italy accounted for the largest number of misconfigured systems, with 16,678 identified instances, followed by Mexico with 5,940 and Vietnam with 5,035. The US had 1,966 exposed AMS, while Canada (1,040) and Japan (487) reported lower levels of exposure. Other European countries, including Spain (1,151) and France (517), were also affected.
Cybersecurity and physical risks from unsecured access systems
The security risks associated with these exposures extend beyond data privacy. Unauthorised individuals could exploit misconfigured AMS to gain physical access to secured facilities. In some cases, researchers found that these systems could be modified to add new personnel, alter existing employee records, or change building access permissions. Government facilities, critical infrastructure sites, power plants, and water treatment centres were among the locations identified as potentially vulnerable.
The publicly exposed AMS systems also increase cybersecurity threats. The data stored in these systems could be used for targeted phishing campaigns, social engineering attacks, and other forms of unauthorised access. Access logs containing records of employee movements could be leveraged for surveillance or corporate intelligence gathering. The security lapses also raise concerns regarding regulatory compliance, particularly under the General Data Protection Regulation (GDPR), which mandates strict safeguards for handling personal data. Organisations found in violation of data protection laws may face financial penalties and legal repercussions.
Following the discovery, Modat said that its researchers initiated a disclosure process to notify affected organisations about the risks associated with their AMS systems. However, no confirmation has been received regarding corrective measures taken by system owners. Some AMS vendors have responded, stating that they are working with clients to implement security fixes.
Modat researchers recommended that affected organisations take immediate steps to address the vulnerabilities. They advised reviewing system configurations, restricting remote access through firewalls and VPNs, and taking exposed systems offline if necessary. Default administrator credentials should be changed, as these are often targeted in brute-force attacks. Multi-factor authentication (MFA) should also be implemented to strengthen access controls.
Additional security measures outlined by the researchers include applying the latest software and firmware updates to address known vulnerabilities. Encrypting biometric data and personally identifiable information (PII) was also suggested to minimise unauthorised access risks. Researchers further advised organisations to audit employee records and remove outdated or inactive accounts to prevent exploitation.
Read more: Palo Alto Networks warns of active exploitation of PAN-OS firewall vulnerabilities
