Researchers from Modat detailed a significant global security risk stemming from misconfigured and inadequately secured access management systems (AMS) across various industries and regions. Based on data observed on its platform, with a focus on access management tools utilized by companies and organizations (excluding devices in residential buildings), Modat identified the presence of security vulnerabilities in over 49,000 exposed devices related to access management and physical security.
In early 2025, Modat researchers conducted a comprehensive investigation, uncovering widespread internet exposure of AMS installations. This exposure has revealed significant security vulnerabilities impacting organizations globally, including critical sectors such as construction, healthcare, education, manufacturing, oil, and government entities.
The researchers warned that these flaws pose serious risks to data integrity and physical security, highlighting the urgent need for improved safeguards and stricter oversight. These vulnerabilities have led to the exposure of hundreds of thousands of highly sensitive employee records, including personal identification details, biometric information, photographs, and work schedules. In addition, the physical security of thousands of organisations worldwide has been compromised.
“The potential for unauthorised entry into buildings and the ability to bypass physical security measures pose severe threats to organisational safety,” the Modat team wrote in a post this week. “Also, a high concentration of AMS exposure has been detected in European countries, the US, and the MENA region, indicating a broad-scale security lapse. The impact of these exposures varies from financial losses and regulatory penalties such as GDPR fines, to serious breaches that could lead to identity theft, unauthorised access, and confidential business disclosures.”
Apart from the misconfigured and exposed AMS across different global organizations, the Modat researchers Identified critical misconfigurations in key industries, including construction, healthcare, education, manufacturing, the oil industry, and governments; detected extensive exposure of sensitive employee data such as personal identification information, employee photographs, biometric data, work schedules, payslips, and complete facility control and access were all found; and detected compromised physical security of multiple organisations providing access to buildings and bypasses of physical security are possible using the exposed and misconfigured AMS.
These AMS systems are vital for modern security but often harbor significant vulnerabilities. While many systems provide robust access control features, their network-connected nature can introduce potential attack vectors. The integration of IT and OT (Operational Technology), though advantageous for business efficiency, can also expand the attack surface. If not properly secured, these vulnerabilities can lead to massive data breaches and the circumvention of physical security measures, posing serious risks to organizations.
The researchers also detected a high concentration of vulnerabilities, especially in European countries, the U.S., and the MENA region. They also observed varying impact types with potential for data exposure, identity theft, unauthorised physical access, disclosure of confidential business operations, and widespread privacy violations affecting thousands of employees globally, which can result in GDPR fines. Research also disclosed that potential impacts on these organisations vary from financial damages and regulatory consequences to real-world breaches.
Modat disclosed significant variations in the exposure of access management systems across different regions. Italy emerged as a main focal point with an alarming 16,678 exposed systems, followed by Mexico with 5,940 and Vietnam with 5,035 instances. While the U.S. showed a moderate exposure level of 1,966 systems, other technologically advanced nations like Canada (1,040) and Japan (487) demonstrated relatively lower numbers of exposed systems; the Netherlands was not immune to these security challenges, as our scans revealed 147 exposed systems.
Also, European nations overall showed a mixed picture, with Spain registering 1,151 exposed systems, France reporting 517 instances, and other regions totalling approximately 50,000 devices, indicating that even regions with strong data protection frameworks are not exempt from these security vulnerabilities.
“Through extensive analysis, we identified numerous instances with misconfigurations and security vulnerabilities that could potentially compromise these assets and affect the overall security of owners’ organisations,” the researchers revealed. “What was particularly concerning was the risk of unauthorised access to sensitive employee data and personal information stored within these systems.”
Following its findings, Modat immediately initiated a responsible disclosure process, contacting system owners directly to alert them of the identified risks and providing remediation guidance. This proactive approach protects organisations and employees from potential data breaches while maintaining ethical research standards.
The Modat investigation highlighted the often-overlooked security issues that can arise in physical security systems when they intersect with digital networks. “Thus, demonstrating how Modat’s unique fingerprinting capabilities can play an essential role in building resiliency by identifying and mitigating these risks before they can be exploited by malicious actors.”
In their conclusion, the Modat researchers identified that the analysis revealed widespread misconfigurations across critical industries, including construction, oil, logistics, education, healthcare, and manufacturing, raising serious privacy and security concerns. These exposed systems leaked highly sensitive data, such as employee photographs, full names, ID numbers, access card details, biometric templates, vehicle plates, work schedules, and facility access histories. Notably, modern access control systems expose biometric and facial recognition data, posing severe risks if exploited by malicious actors.
The scope of exposure varied but consistently included enough personal data to jeopardize both organizational security and employee privacy.
To mitigate such risks, organizations should avoid connecting these systems directly to the internet. Best practices include placing systems behind firewalls and VPNs (virtual private networks), conducting regular security updates, changing default credentials, restricting access, and continuously monitoring for internet exposure and suspicious activities. These steps can prevent unauthorized access, safeguard employee data, and protect physical security.
