Critical Ivanti EPMM Zero-Auth Flaw Exposes DoD Data
Key Takeaways A critical zero-authorization flaw in Schemata’s API exposed sensitive military training data and U.S. service member records. The vulnerability allowed low-privileged accounts to...
Key Takeaways
- A critical zero-authorization flaw in Schemata’s API exposed sensitive military training data and U.S. service member records.
- The vulnerability allowed low-privileged accounts to access cross-tenant information across the entire virtual training platform.
- Discovered by the Strix AI hacking agent, the flaw persisted for 150 days despite private disclosure before a patch was finally applied.
- Exposed data included personal details of service members, their stationed bases, and confidential training manuals, including those for explosive ordnance.
Zero-Authorization Flaw Uncovered in DoD Contractor’s Platform
A severe zero-authorization vulnerability within the API of Schemata, an AI-powered virtual training provider with active Department of Defense (DoD) contracts, led to the exposure of highly sensitive military training materials and personal records belonging to U.S. service members. The flaw, which originated from a complete absence of authorization boundaries and tenant isolation within the application’s API, allowed standard, low-privileged accounts to access data across the entire platform, bypassing intended access restrictions.
Table Of Content
The vulnerability was identified by Strix, an open-source AI hacking agent. During its assessment, Strix established a low-privilege baseline and mapped accessible API surfaces. It then successfully replayed high-value collection endpoints using a standard user session. The API failed to enforce organizational scoping or permission checks, meaning that instead of returning data limited to the test account, the system globally returned information from across the entire platform. Furthermore, the lack of authorization controls on write-enabled routes presented an additional risk, potentially allowing malicious actors to modify or delete training courses.
Massive Operational Security Risk from Exposed Data
The extent of the data exposure constituted a significant operational security risk. Through a user-listing endpoint, the unprivileged test account gained access to the entire user base. This included names, email addresses, enrollment data, and the specific military bases where U.S. service members were stationed. Such comprehensive personal data leaves personnel highly susceptible to targeted phishing campaigns and doxing attacks.
Beyond personal records, course and organization endpoints inadvertently leaked metadata and direct AWS S3 links to hundreds of confidential training manuals. Among these were a proprietary 3D virtual training course designed for naval maintenance personnel and Army field manuals detailing the safe handling, arming sequences, and tactical deployment of explosive ordnance.
Disclosure and Remediation Timeline
Strix privately reported the vulnerability to Schemata on December 2, 2025, as detailed in their blog post. Despite multiple follow-up attempts underscoring the critical nature of the exploit, the vulnerability remained unaddressed for several months. It wasn’t until May 1, 2026—a full 150 days after the initial disclosure and following a final notification of impending public disclosure—that Schemata acknowledged the exposed endpoints and implemented an immediate patch. The researchers have since confirmed the successful remediation.
For defense contractors, robust API security is not merely a best practice but a strict regulatory requirement under federal mandates such as DFARS 252.204-7012. The Cybersecurity Maturity Model Certification (CMMC) further obligates contractors handling Controlled Unclassified Information (CUI) to adhere to mandatory cybersecurity standards and breach-reporting protocols. The presence of a platform serving military training data without a fundamental API authorization layer represents a foundational security failure.
What You Should Do
- Customers and partners of Schemata, particularly those in the defense sector, should urgently inquire about access logs and the duration of the data exposure.
- Verify whether affected users or personnel have been formally notified regarding the incident.
- Review and reinforce internal policies for handling sensitive data, especially when engaging with third-party vendors and contractors.
- Ensure that all vendors comply with federal cybersecurity regulations like DFARS 252.204-7012 and CMMC requirements for API security and data protection.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.