BreakglassIntelligence
Back to reports

When the Shield is the Vulnerability: A National C-UAS System Left Open to the Internet

PublishedApril 12, 2026
responsible-disclosurecritical-infrastructurec-uasopsec

During routine threat hunting, we identified what initially appeared to be a command-and-control dashboard exposed on a residential ISP address. The label on the login page matched a legitimate defense technology company. We expected to close the lead quickly as a false positive.

We were wrong.

What we found was a fully operational counter-drone defense platform protecting over 30 critical national infrastructure sites -- nuclear power plants, petroleum storage facilities, airports, military installations, and a head-of-state protection detail -- with its management interfaces exposed to the public internet.

The system was not compromised. It was not impersonated. It was simply misconfigured. And the data it leaked without authentication was staggering.

What was exposed

By accessing nothing more than the login page and a handful of unauthenticated API endpoints, we recovered:

  • The complete list of every protected site, including facility names, locations, and operational status
  • Internal network topology for sensor and effector equipment, including IP addresses and port assignments for radars, cameras, RF scanners, GPS spoofers, and signal jammers
  • Jammer frequency band configurations, revealing exactly which frequencies are covered -- and which are not
  • GPS spoofer capabilities across multiple satellite navigation systems
  • The full customer list, including nuclear power operators, petroleum companies, military units, and a presidential security detail
  • Every security control on the platform disabled: no password expiry, no session timeout, no strong credentials, no HTTPS, and debug mode active in production

Why this matters

Counter-UAS systems exist to protect critical infrastructure from drone threats. If an adversary obtained this data, they would know:

  • Exactly where drone defenses are deployed and where gaps exist
  • What frequencies are jammed and what frequencies are not
  • The GPS spoofing capabilities they would need to defeat
  • The physical locations of every sensor installation
  • Which facilities have coverage and which do not

This is not theoretical. Nation-state adversaries actively target defense contractors in this region. The company's infrastructure showed signs of limited security maturity -- outdated software, mixed operating systems, expired TLS certificates, and database ports exposed to the internet -- making it a high-value, low-effort target.

What we did

We documented the exposure without accessing any authenticated functionality, creating accounts, or modifying data. Everything in this report was obtained from publicly accessible, unauthenticated endpoints.

We submitted a detailed vulnerability disclosure to both the company and the relevant national CERT within 24 hours of discovery. The disclosure includes specific remediation steps and a 72-hour window for initial firewalling before any public identification.

As of the date of this post, one of the two exposed management interfaces has been recently firewalled. The other remains accessible.

What we are withholding

Until we receive confirmation that the exposure has been fully remediated, we are not publishing:

  • The name of the company or the country
  • IP addresses or domain names
  • The specific sites or facilities affected
  • Screenshots or raw API responses
  • The full technical report

We will publish a complete technical writeup with IOCs and detection guidance once the vendor confirms remediation, or after a reasonable disclosure window has elapsed.

The broader lesson

This case illustrates a pattern we see repeatedly in threat hunting: the tools built to defend critical infrastructure become the vulnerability when deployed without basic security hygiene.

A counter-drone system that can be inventoried from the public internet is worse than no system at all -- it gives an adversary a precise map of defenses they would otherwise have to discover through costly reconnaissance.

Defense technology companies, particularly small and mid-sized contractors with strong domain expertise but thin IT security teams, need to treat their own infrastructure with the same rigor they bring to the systems they protect.

VPN access for all management interfaces. Authentication on every endpoint. HTTPS everywhere. These are not optional for systems guarding nuclear facilities.

We will update this post when the full report is available.

Investigation by GHOST -- Breakglass Intelligence intel.breakglass.tech | @BreakGlassIntel

Share