Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Linux and Ubiquiti Flaws, Accenture Breach, Android Exploit
July 12, 2026
Microsoft Teams macOS Bug Exposes Screen Sharing Content
July 12, 2026
Apple Sues OpenAI and Ex-Staff Over Alleged Trade Secret Theft
July 12, 2026
Home/CyberSecurity News/Critical Ivanti EPMM Zero-Auth Flaw Exposes DoD Data
CyberSecurity News

Critical Ivanti EPMM Zero-Auth Flaw Exposes DoD Data

Key Takeaways A critical zero-authorization flaw in Schemata’s API exposed sensitive military training data and U.S. service member records. The vulnerability allowed low-privileged accounts to...

Sarah simpson
Sarah simpson
May 6, 2026 3 Min Read
39 0

Key Takeaways

  • A critical zero-authorization flaw in Schemata’s API exposed sensitive military training data and U.S. service member records.
  • The vulnerability allowed low-privileged accounts to access cross-tenant information across the entire virtual training platform.
  • Discovered by the Strix AI hacking agent, the flaw persisted for 150 days despite private disclosure before a patch was finally applied.
  • Exposed data included personal details of service members, their stationed bases, and confidential training manuals, including those for explosive ordnance.

Zero-Authorization Flaw Uncovered in DoD Contractor’s Platform

A severe zero-authorization vulnerability within the API of Schemata, an AI-powered virtual training provider with active Department of Defense (DoD) contracts, led to the exposure of highly sensitive military training materials and personal records belonging to U.S. service members. The flaw, which originated from a complete absence of authorization boundaries and tenant isolation within the application’s API, allowed standard, low-privileged accounts to access data across the entire platform, bypassing intended access restrictions.

Table Of Content

  • Key Takeaways
  • Zero-Authorization Flaw Uncovered in DoD Contractor’s Platform
  • Massive Operational Security Risk from Exposed Data
  • Disclosure and Remediation Timeline
  • What You Should Do

The vulnerability was identified by Strix, an open-source AI hacking agent. During its assessment, Strix established a low-privilege baseline and mapped accessible API surfaces. It then successfully replayed high-value collection endpoints using a standard user session. The API failed to enforce organizational scoping or permission checks, meaning that instead of returning data limited to the test account, the system globally returned information from across the entire platform. Furthermore, the lack of authorization controls on write-enabled routes presented an additional risk, potentially allowing malicious actors to modify or delete training courses.

Massive Operational Security Risk from Exposed Data

The extent of the data exposure constituted a significant operational security risk. Through a user-listing endpoint, the unprivileged test account gained access to the entire user base. This included names, email addresses, enrollment data, and the specific military bases where U.S. service members were stationed. Such comprehensive personal data leaves personnel highly susceptible to targeted phishing campaigns and doxing attacks.

Beyond personal records, course and organization endpoints inadvertently leaked metadata and direct AWS S3 links to hundreds of confidential training manuals. Among these were a proprietary 3D virtual training course designed for naval maintenance personnel and Army field manuals detailing the safe handling, arming sequences, and tactical deployment of explosive ordnance.

Disclosure and Remediation Timeline

Strix privately reported the vulnerability to Schemata on December 2, 2025, as detailed in their blog post. Despite multiple follow-up attempts underscoring the critical nature of the exploit, the vulnerability remained unaddressed for several months. It wasn’t until May 1, 2026—a full 150 days after the initial disclosure and following a final notification of impending public disclosure—that Schemata acknowledged the exposed endpoints and implemented an immediate patch. The researchers have since confirmed the successful remediation.

For defense contractors, robust API security is not merely a best practice but a strict regulatory requirement under federal mandates such as DFARS 252.204-7012. The Cybersecurity Maturity Model Certification (CMMC) further obligates contractors handling Controlled Unclassified Information (CUI) to adhere to mandatory cybersecurity standards and breach-reporting protocols. The presence of a platform serving military training data without a fundamental API authorization layer represents a foundational security failure.

What You Should Do

  • Customers and partners of Schemata, particularly those in the defense sector, should urgently inquire about access logs and the duration of the data exposure.
  • Verify whether affected users or personnel have been formally notified regarding the incident.
  • Review and reinforce internal policies for handling sensitive data, especially when engaging with third-party vendors and contractors.
  • Ensure that all vendors comply with federal cybersecurity regulations like DFARS 252.204-7012 and CMMC requirements for API security and data protection.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachCybersecurityExploitPatchphishingSecurityVulnerability

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Ransomware and Extortion Groups Target Aviation, Aerospace

Next Post

Remus Infostealer Targets Browsers with Lumma-Style Key Theft

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Dell BIOS Critical Flaw Exposes Admin Passwords From SPI Flash
July 11, 2026
CISA Report Details Lessons Learned From AWS GovCloud Credential Leak
July 11, 2026
281 Android VPN Apps Leak Sensitive Data, Transfer Data Unencrypted
July 11, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us