Researchers discovered a significant security vulnerability affecting over 49,000 exposed Access Management Systems (AMS) across various industries and countries. These systems are used to manage employee access to sensitive areas like government buildings, critical infrastructure, and private facilities. The study, conducted by Modat in early 2025, revealed that many AMS were misconfigured, leaving them open to unauthorized access due to insecure authentication protocols. As a result, anyone could remotely access these systems without proper authorization, presenting a major security risk.
The exposed AMS contained a wealth of sensitive information, including personal identification details such as names, phone numbers, and email addresses.
Biometric data like fingerprints and facial recognition images were also stored in an unencrypted format. Work schedules, photographs, and access logs detailing employee movements in and out of restricted areas were also vulnerable. In some instances, researchers were able to manipulate the records, adding fake employees or altering access credentials, which could allow attackers to gain unauthorized access or deny access to legitimate employees.
The most concerning aspect of the exposure was the risk it posed to physical security, especially in critical sectors like government, energy, and utilities.
AMS systems at government buildings and essential infrastructure facilities such as power stations and water treatment plants were found to be particularly vulnerable. Beyond the immediate physical risks, the data could also be exploited for spear-phishing campaigns and other social engineering attacks, targeting organizations and their employees. The exposure of such sensitive information amplifies the potential for both physical and cyberattacks.
While researchers directly notified AMS system owners about the vulnerability, many did not respond, leaving the risk unaddressed. Some vendors have since acknowledged the issue and are working to secure the affected systems. To mitigate these risks, Modat recommended several measures, including taking systems offline, placing them behind firewalls and VPNs, changing default admin credentials, and enabling multi-factor authentication. Additionally, AMS administrators were urged to apply the latest software updates, encrypt biometric data, and purge records of former employees to prevent unauthorized access.
