Saturday, May 24, 2025
HomeCyber Security NewsHackers Seize Control of 3,000 Companies Through Critical Vulnerabilities

Hackers Seize Control of 3,000 Companies Through Critical Vulnerabilities

Published on

SIEM as a Service

Follow Us on Google News

In a groundbreaking cybersecurity investigation, researchers identified several critical vulnerabilities in a target system, eventually gaining control over 3,000 subsidiary companies managed by a parent organization.

The exploration leveraged flaws in API configurations, bypassed key security protocols, and exposed sensitive employee and customer data.

This research spanned three weeks and demonstrated the persistent risks of inadequate access controls in modern, API-driven infrastructures.

- Advertisement - Google News

The research team discovered these exploits while conducting tests on an organization’s APIs.

During their assessments, they identified unusual responses when submitting certain requests, which hinted at potential backend API access via path traversal.

Explaination of Frontend And Backend Paths.
Explaination of Frontend And Backend Paths.

The researchers attempted to use the traversal method but encountered a Web Application Firewall (WAF) blocking the requests.

However, through further analysis of JavaScript (JS) files, they located a production domain that bypassed the WAF’s restrictions, opening the door for deeper exploration.

Are you from SOC/DFIR Teams? - Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

Backend Exposure

The researchers conducted extensive fuzzing, eventually uncovering an application.wadl endpoint linked to microservices responsible for the company’s payment system.

This endpoint mapped frontend API paths to internal backend microservices.

The team exploited this to extract sensitive operational data, including employee Personally Identifiable Information (PII), fingerprints, and customer invoices via mobile numbers.

These findings underscored a failure in backend request validation, allowing unauthorized access to confidential documents.

The investigation then led to an administrative superpanel managing all 3,000 subsidiary companies.

Initially, access to this panel required valid authentication credentials.

Employing username enumeration and custom wordlist-based brute-forcing, the researchers successfully bypassed the login, gaining administrative control.

Internal superadmin login page
Internal superadmin login page

This enabled them to modify national IDs, passwords, and other sensitive data across the company’s entire ecosystem.

Bypassing KYC Verification for Telecom Number Takeover

In a parallel attack on the company’s telecom operations, the researchers found methods to bypass Know Your Customer (KYC) checks.

Originally, backend requests for number transfers returned a “417 Expectation Failed” error.

However, by directly interacting with the backend API, they bypassed these checks and transferred customer phone numbers with fraudulent credentials, exposing subscribers to account takeover and identity theft.

One of the critical exploits relied on discrepancies in how the organization’s APIs handled authentication and authorization.

While the Frontend API blocked unauthorized requests, the Backend API interpreted malformed path traversal requests differently, bypassing authentication.

This revealed a fundamental weakness in request normalization and path sanitization practices.

This case illustrates the severe consequences of overlooking backend API security.

The researchers reported the vulnerabilities, and while the organization addressed certain issues, the scope of the discovered risks demanded a comprehensive overhaul of security practices.

Key recommendations include implementing uniform request validation across frontend and backend systems, enforcing WAF protections in all environments, and periodically auditing API endpoints for misconfigurations.

This extensive exploit chain highlights how minor misconfigurations, when methodically exploited, can snowball into catastrophic breaches, affecting thousands of users and stakeholders.

Cybersecurity professionals must treat API protection as a cornerstone of modern security strategies.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...