Ivan Garzaro : 23 September 2025 07:11
In recent months, during my research and studies, I have come across a reality as surprising as it is worrying: how easily it is possible to identify exposed systems on the network, even those belonging to organizations that—by mission or sector—should have a particularly solid security posture.
We’re not talking about movie-like techniques or sophisticated attacks: in many cases, a boring Saturday night while the rest of the family is asleep, a specialized search engine, or a targeted scan are all it takes to discover accessible management interfaces, misconfigured servers, default credentials that have never been changed, or critical services without any authentication.
The feeling is almost that of walking through a city where many doors are wide open – and we’re not always talking about just any homes.
You might think that these exposures only concern small companies or those with limited cybersecurity budgets.
In reality, you may also come across systems belonging to more significant organizations, which by their role or sector are presumed to have a greater focus on protecting their digital assets.
This isn’t to say that all of these organizations have critical vulnerabilities or are neglecting security, but it does highlight how the risk of exposure can affect anyone, regardless of size or industry—sometimes due to basic misconfigurations, sometimes due to testing activities that aren’t fixed, sometimes due to new exploits that are discovered.
Wherever and whenever possible, whenever I detected a critical issue, I reported it to the relevant authorities. The result? In most cases, months later, the systems are still as accessible as they were on day one.
This means that if I, acting ethically, could identify them, anyone with malicious intent would have had the same leeway, with the added advantage of having plenty of time available and technology that today makes the entire reconnaissance phase even easier.
Once upon a time, anyone wanting to carry out an attack had to know their way around, master techniques, tools, and methodologies. Today, with artificial intelligence, half the work can be done while the attacker sips a coffee: automated target research, vulnerability analysis, even the generation of exploits or customized scripts.
This dramatically lowers the barrier to entry and speeds up every step, from detection to potential exploitation.
The problem becomes even more serious when placed in the current geopolitical context, where cyberattacks have become weapons of pressure and destabilization, strategic information—even if unclassified—can be used to target services, infrastructure, and citizens, and every exposed system is a potential gateway for espionage, sabotage, or disinformation campaigns.
This is not a hypothetical scenario: it has already happened, and continues to happen all over the world.
Anyone working in cybersecurity knows that an organization’s attack surface has expanded far beyond corporate firewalls. Cloud computing, remote working, IoT devices, web applications: everything is connected, everything is accessible, and every single exposed point can become a crack through which an entire attack can slip through.
If we add to this the lack of proactive monitoring in some situations, the picture is clear: the attack surface is on display, and there is not always someone observing.
Identifying exposed systems today is easier than ever. You don’t need a secret lab, you don’t need zero-day exploits: you just need to know where to look. And if this is true for an independent researcher, it’s also true—and especially—for those operating with hostile intent.
In times of geopolitical tension and hybrid conflicts, we cannot afford for doors to remain wide open for months after a report. Because in cybersecurity, there’s a mantra we should never forget: It’s not if it happens, but when it happens. Because, sooner or later, unfortunately, it affects more or less everyone.
Ivan Garzaro