Misconfigured access management systems expose global enterprises to security risks

Global enterprises are facing a serious security crisis as misconfigured Access Management Systems (AMS) expose sensitive employee data and grant potential access to restricted facilities. The vulnerabilities found across healthcare, education, manufacturing, and government industries put organizations at heightened risk of data breaches, financial losses, and compliance violations.

In some cases, attackers could manipulate credentials to bypass security systems entirely, raising urgent concerns over both digital and physical security, according to a report by cybersecurity firm Modat.

The findings suggest that hundreds of thousands of sensitive employee records have been exposed, including biometric information, identification details, photographs, and work schedules. In some cases, these vulnerabilities could allow unauthorized individuals to bypass physical security measures and gain entry into restricted facilities.

“Access Management Systems are crucial in modern security and yet they can often present significant vulnerabilities,” the report said. “Some systems offer comprehensive access control features, but their network-connected nature can create potential attack vectors.”

The report further indicates that the highest concentration of these exposures has been detected in Europe, the US, and the MENA region, raising concerns over regulatory compliance and potential financial losses.

A systemic security lapse

Modat’s research, conducted using its Magnify platform, identified a widespread pattern of internet-exposed AMS with significant security misconfigurations. The report points to inadequate configurations, outdated security protocols, and a lack of sufficient monitoring as key contributors to the problem.

“Organisations unknowingly leaving their access management systems exposed face severe security and privacy risks,” the report stated. “These vulnerabilities not only threaten employee data privacy but also present an alarming risk of unauthorised physical entry.”

The impact of these security lapses is multifaceted, ranging from identity theft and corporate espionage to severe regulatory penalties under laws such as the General Data Protection Regulation (GDPR).

The scale of exposure also raises concerns about potential real-world breaches that could compromise corporate and government infrastructure.

“Particularly concerning was the discovery of exposed biometric templates and facial recognition data in several modern access control systems, which could pose serious privacy risks if accessed by malicious actors,” the report pointed out.  “The scope and depth of exposed information varied by organisation but consistently included enough personal data to create significant privacy and security risks for the affected organisations and their employers.”

Regional and industry-wide exposure

The investigation found a disproportionate concentration of exposed AMS in Europe, with Italy emerging as a key hotspot, reporting 16,678 exposed systems. Mexico and Vietnam followed, with 5,940 and 5,035 systems exposed, respectively.

The US recorded 1,966 vulnerable systems, while other technologically advanced nations such as Canada and Japan showed comparatively lower exposure levels. Despite strong data protection regulations, European nations collectively accounted for a significant portion of the reported vulnerabilities, the report added.

The report further revealed that the misconfigurations affected a range of industries, with some organisations inadvertently exposing complete employee records, including full names, identification numbers, access credentials, and biometric authentication data. In certain cases, attackers could manipulate these records to create new identities, effectively bypassing security systems.

Calls for immediate remediation

Following the discovery of these vulnerabilities, Modat initiated a responsible disclosure process, notifying affected organisations and offering remediation guidance. The company recommends that organisations immediately remove AMS from direct internet exposure, implement strong access controls, and regularly patch security flaws.

“The integration of IT and operational technology (OT) has significantly increased attack surfaces,” the report warns. “Without stringent cybersecurity measures, businesses risk not only financial damage but also the physical safety of their employees and infrastructure.”

Cybersecurity experts urge enterprises to take a proactive approach by enforcing stricter network segmentation, encrypting sensitive employee data, and conducting routine security audits to detect and mitigate exposure risks.

Given the scale of the problem, failure to act could leave organizations open to targeted cyberattacks and regulatory scrutiny. “It is important to ensure that default credentials are changed immediately, and access should be restricted,” the researchers at Modat suggested. “Continuous monitoring, including the internet exposure of your devices, will help with internal detection and response to suspicious activities. These measures can prevent unauthorised access, protect employee data, and maintain the physical security of the organization’s facilities.”