A Table Documenting A List Of Various Outdated Plugins With Known Vulnerbilities

A Real World Example: Demonstrating the Value of Early Threat Discovery

Marley Ching

At Vigil Kiwi, we believe that meaningful cybersecurity insight doesn’t require invasive access or expensive tooling—sometimes, even a light scan can uncover critical gaps.

In this anonymised case study, we share findings from a reconnaissance engagement performed for a real client using our Light Scan offering. This report reflects genuine results from surface-level scanning, including open ports, subdomain enumeration, and discovery of sensitive web resources.

While this scan was intentionally non-intrusive, it still revealed misconfigurations and publicly exposed assets that could be leveraged in a real-world attack. The purpose of sharing this is twofold:

  1. To provide transparency into the type of work we do with real organisations.

  2. To demonstrate the value even our most lightweight assessments can offer.

All identifying information has been redacted to preserve client confidentiality.


 

Cybersecurity Reconnaissance Summary

Prepared by: Vigil Kiwi

Client: REDACTED

Date: 21 July 2025

 

 

Executive Summary

This report compiles the findings from multiple reconnaissance assessments—port scanning, subdomain enumeration, URL fuzzing, and web crawling—conducted against the REDACTED domain: REDACTED. These tests were executed using light scanning techniques and represent an initial overview of your attack surface. Deeper insights are available through more comprehensive scanning options.

 

1. Port Scan Findings

Target: REDACTED
IP Address: REDACTED
Scan Duration: 35 seconds
 Scan Type: TCP SYN (Top 1000 Ports)
 Result: 3 open ports identified

Port

Protocol

Service

Version/Details

22

TCP

SSH

OpenSSH 9.6p1, Protocol 2.0

80

TCP

HTTP

nginx

443

TCP

HTTPS

nginx

Implication:

  • OpenSSH and nginx services are publicly accessible. These should be regularly patched.

  • Port 22 (SSH) being externally available increases the risk of brute-force attacks; it is recommended to limit access via IP whitelisting or VPN.

 

2. Subdomain Enumeration

Total Subdomains Discovered: 8
 Notable Subdomains:

Subdomain

IP Address

msoid.REDACTED 

REDACTED 

enterpriseregistration.REDACTED 

REDACTED 

autodiscover.REDACTED 

REDACTED 

enterpriseenrollment.REDACTED 

REDACTED 

remote.REDACTED 

REDACTED 

www.REDACTED 

REDACTED 

Implication:

  • Subdomains like remote and autodiscover often interface with sensitive services (e.g., RDP or Exchange). These should be monitored for exposure.

  • Ensure proper security controls (e.g., WAF, MFA) are enforced across all subdomains.

 

3. URL Fuzzing (Hidden Paths and Files)

Target URL: https://REDACTED.com/FUZZ
 Scan Duration: 13 hours 9 minutes
 Total Discovered Items: 44

Key Findings:

  • Sensitive Config Files (Forbidden/Accessible):

    • .htaccess, .htpasswd, .user.ini (403 – potentially accessible if misconfigured)

    • wp-config.php (200 OK – indicates public access to critical WordPress config file)

    • license.txt, robots.txt, search/token.json (200 OK – publicly accessible)

  • Admin Interfaces:

    • /admin, /admin/index.php, /login, /login.php (302 redirects suggest active login endpoints)

    • /wp-admin, /dashboard (possible CMS or management panels)

  • System & Debug Endpoints:

    • /actuator/status, /debug/status, /server-status, /mgmt/tm/sys/management (403/301 – may leak infrastructure details or support further exploitation)

Implication:

  • Presence of .php, .ini, and management endpoints indicates potential attack vectors.

  • Some endpoints return 200 or redirect instead of denying access outright, which could be leveraged for probing or attacks.

 

Recommendations

  1. Restrict Public Access:

    • Limit SSH (port 22) exposure to trusted IPs only.

    • Block or secure access to critical endpoints such as wp-config.php, /admin, and /login.

  2. Patch and Monitor Web Services:

    • Ensure nginx and OpenSSH are kept up to date.

    • Implement file integrity monitoring for sensitive web resources.

  3. Harden Subdomains:

    • Review and audit each discovered subdomain.

    • Apply the principle of least privilege and zero trust access control.

  4. Consider Deeper Scanning:

    • The current scans were conducted with light parameters. A full deep scan is recommended to uncover more comprehensive vulnerabilities and risks.

 

Conclusion

The reconnaissance assessment has identified key areas of external exposure for REDACTED. While no immediate critical vulnerabilities were detected in this phase, the findings indicate opportunities for hardening and improved access control. Vigil Kiwi recommends a follow-up deep-dive vulnerability assessment to more thoroughly evaluate the security posture.

 

If you require further analysis or assistance in remediation, our team at Vigil Kiwi is available to support your cyber resilience strategy.

 

Prepared by:
 Vigil Kiwi Cyber Security Team
 Wellington, New Zealand
 Security@TVK.nz | www.TVK.nz

Back to blog

Leave a comment

Please note, comments need to be approved before they are published.