Misconfigured Access Management Systems put data at risk

Security researchers have identified over 49,000 misconfigured Access Management Systems (AMS) exposed online, posing serious risks to privacy and physical security across various industries and countries. These systems, which are responsible for controlling employee access to buildings and restricted areas, were found accessible without proper security measures, leaving them vulnerable to unauthorised access and manipulation.

Misconfigured Access Management Systems play a crucial role in securing facilities through methods such as biometric identification, ID card scans, and vehicle licence plate recognition. However, researchers from Modat, during a thorough investigation in early 2025, discovered tens of thousands of these systems exposed online without secure authentication settings, meaning anyone with internet access could potentially view or manipulate them.

Among the exposed data were highly sensitive employee details, including names, email addresses, phone numbers, work schedules, and photographs. Even more concerning was the exposure of biometric data, such as fingerprints and facial recognition records. Access logs that document the movements of employees entering and leaving buildings were also freely accessible on these misconfigured Access Management Systems.

The risks go beyond privacy breaches. In some cases, the exposed systems allowed for direct manipulation, enabling malicious actors to edit employee records, add fake employees, alter access credentials, and even lock legitimate employees out of their workplaces. This level of access could also grant unauthorised individuals physical entry to secure facilities, raising alarms for critical sectors such as government buildings, power stations, and water treatment plants.

 

Beyond physical security, the exposed data from misconfigured Access Management Systems could also be exploited for cyberattacks.

 

This exposed information could be exploited particularly through spear-phishing and social engineering campaigns targeting affected organisations and their employees, as cybercriminals could leverage employee contact details, work schedules, and biometric data to craft convincing fraudulent messages or impersonate trusted personnel, increasing the risk of unauthorised access and further compromise.

The countries with the highest number of exposed systems include Italy, with 16,678 vulnerable devices, followed by Mexico with 5,940, and Vietnam with 5,035. In the United States, researchers detected 1,966 exposed systems, highlighting the global nature of the issue.

Despite efforts by the researchers to notify the system owners, none have responded so far. However, some AMS vendors have acknowledged the issue and are working with affected clients to mitigate the risks.

Organisations using misconfigured Access Management Systems are advised to take immediate steps, including removing their systems from public internet access, placing them behind secure firewalls and VPNs, changing default administrator credentials, enabling multi-factor authentication, and regularly applying software and firmware updates to protect against these vulnerabilities.

Encrypting sensitive data and purging outdated employee records are also recommended to minimise potential threats.