March 21, 2025
10 Critical Network Pentest Findings IT Teams Overlook
After conducting over 10,000 automated internal network penetration tests last year, vPenTest has uncovered a troubling reality that many businesses still have critical security gaps that attackers can easily exploit. Organizations often assume that firewalls, endpoint protection, and SIEMs are enough to keep them secure. But how effective are these defenses when put to the test? That’s where

Mar 21, 2025The Hacker NewsNetwork Security / Vulnerability

After conducting over 10,000 automated internal network penetration tests last year, vPenTest has uncovered a troubling reality that many businesses still have critical security gaps that attackers can easily exploit.

Organizations often assume that firewalls, endpoint protection, and SIEMs are enough to keep them secure. But how effective are these defenses when put to the test? That’s where vPenTest, Vonahi Security’s automated network pentesting platform, comes in. Designed to simulate real-world attack scenarios, vPenTest helps organizations find exploitable vulnerabilities before cybercriminals can.

These aren’t complex, zero-day exploits. They’re misconfigurations, weak passwords, and unpatched vulnerabilities that attackers routinely exploit to gain access, move laterally, and escalate privileges within networks. Here’s how these risks break down:

  • 50% stem from misconfigurations – Default settings, weak access controls, and overlooked security policies.
  • 30% are due to missing patches – Unpatched systems that leave the door open for known exploits.
  • 20% involve weak passwords – Services running without proper authentication, making it easy for attackers to get in.

In this article, we’ll cover the ten most critical internal network security risks, breaking down what they are, why they’re dangerous, and how to fix them before they turn into real problems. We’ll start with the least common and work our way up to the number one issue we’ve seen across thousands of assessments with vPenTest. If these weaknesses exist in your environment, attackers will find them—it’s just a matter of time.

10. Password Deficiencies – Redis Service

CVSS3: 9.9

% of occurrence: 1.3%

What is it:

  • Redis is an in-memory key-value data store commonly used for caching, message brokering, and real-time analytics. By default, Redis does not enforce authentication, allowing clients to connect without credentials.

Security Impact:

  • If an adversary gains access to the Redis service, they may obtain sensitive data stored within the databases hosted on the server and possibly escalate privileges to gain system-level access, depending on the capabilities of the Redis service and the permissions associated with the compromised user account. This could lead to unauthorized data manipulation, data exfiltration, or further exploitation of the system.

Recommendation:

  • It is imperative to configure the Redis service to require a strong password that meets the organization’s password policy. A robust password should encompass the following criteria:
    • Minimum of 12 characters
    • Not easily guessable, e.g., not found in a dictionary
    • Combination of upper-case letters, lower case letters, numerical digits, and/or special characters
    • Verifiable against known compromised password databases (e.g., www.haveibeenpwned.com)
  • Additionally, utilizing a password manager can enhance security by generating complex passwords that are difficult to retrieve, even in the event that the password hash is obtained through a breach.

9. Firebird Servers Accept Default Credentials

CVSS3: 9.0

% of occurrence: 1.4%

What is it:

  • Default credentials are often hard-coded usernames and passwords intended for initial setup and should be changed promptly to maintain security. This issue arises when systems are deployed without reconfiguration or when default settings are overlooked during the setup process.

Security Impact:

  • The reliance on default credentials for Firebird servers can lead to unauthorized access, allowing attackers to authenticate and conduct reconnaissance on the affected systems. They could enumerate files or alter system configurations, thereby opening pathways to further exploitation. If the attacker identifies the location of Firebird database files, they may gain the ability to read or modify sensitive database information. Furthermore, certain versions of Firebird can be manipulated to execute system commands, thereby extending an attacker’s control over the remote host.

Recommendation:

  • To mitigate this vulnerability, it is essential to utilize the GSEC tool to change the default credentials associated with Firebird servers. Additionally, implementing a policy for regular credential audits and ensuring that all default settings are modified before deployment can further enhance security. Continuously monitoring server access logs for unauthorized attempts and enabling alerts for suspicious activities will aid in detecting potential exploitations early.

8. Microsoft Windows RCE (BlueKeep)

CVSS3: 9.8

% of occurrence: 4.4%

What is it:

  • BlueKeep is a remote code execution vulnerability in Microsoft’s Remote Desktop Protocol (RDP), identified as CVE-2019-0708.

Security Impact:

  • Exploitation of the BlueKeep vulnerability allows an attacker to assume complete control over the affected system(s). This level of access may facilitate further attacks within the organization’s infrastructure, including the potential extraction of sensitive data such as passwords and password hashes. Additionally, the attacker could navigate laterally within the network, compromising additional systems and services. The exploit’s nature means that no special privileges or authenticated access are required to execute the attack, thus simplifying the process for the attacker and amplifying the potential impact on the organization.

Recommendation:

  • It is critical to promptly apply all relevant security updates to the affected system(s) to mitigate the BlueKeep vulnerability. Organizations should conduct a thorough review of their patch management processes to identify factors contributing to the absence of timely updates. Given the exploitability of this vulnerability and its ability to severely compromise systems, an immediate response is essential to safeguarding the organization’s digital environment.

7. Microsoft Windows RCE (EternalBlue)

CVSS3: 9.8

% of occurrence: 4.5%

What is it:

  • EternalBlue is a remote code execution vulnerability in the Microsoft Server Message Block (SMBv1) protocol. It allows an attacker to send specially crafted packets to a vulnerable system, enabling unauthorized access and execution of arbitrary code with system-level privileges.

Security Impact:

  • Exploitation of the EternalBlue vulnerability allows an attacker to gain full administrative access to the affected system(s). This access can facilitate further malicious actions within the organization’s network, including the extraction of cleartext passwords and password hashes, as well as lateral movement to other systems. Importantly, this vulnerability does not require the attacker to escalate privileges on the compromised system, meaning they can initiate reconnaissance and further attacks without any additional effort.

Recommendation:

  • To mitigate the risk associated with the EternalBlue vulnerability, it is imperative to promptly apply the relevant security patches to all affected system(s). Additionally, a thorough review of the organization’s patch management program should be conducted to identify any deficiencies that led to the unpatched status of these systems. Given the high risk and prevalence of exploitation of this vulnerability, immediate remediation efforts are crucial.

6. IPMI Authentication Bypass

CVSS3: 10.0

% of occurrence: 15.7%

What is it:

  • The Intelligent Platform Management Interface (IPMI) is a critical hardware solution utilized by network administrators for centralized management of server(s). During the configuration of server(s) equipped with IPMI, certain vulnerabilities may exist that allow attackers to bypass the authentication mechanism remotely. This results in the extraction of password hashes, and in instances where default or weak hashing algorithms are employed, attackers could potentially recover the cleartext passwords.

Security Impact:

  • The ability to extract cleartext passwords presents a significant security risk, as an attacker could leverage this information to gain unauthorized remote access to sensitive services, including Secure Shell (SSH), Telnet, or web-based interfaces. Such unauthorized access could enable configurations manipulation, negatively impacting the availability and integrity of services provided by the compromised server(s).

Recommendation:

  • Given the absence of a patch for this vulnerability, it is essential to implement one or more of the following mitigation strategies:
    • Limit IPMI access strictly to authorized system(s) that require administrative functionalities.
    • Disable IPMI service on server(s) that do not need it for business operations.
    • Change default administrator password(s) to strong, complex alternatives to enhance security.
    • Employ secure communication protocols, such as HTTPS and SSH, to mitigate the risk of man-in-the-middle attacks that could expose sensitive credentials.

5. Outdated Microsoft Windows Systems

CVSS3: 9.8

% of occurrence: 24.9%

What is it:

  • Outdated Microsoft Windows system(s) present significant security risks, as they are no longer receiving critical updates from Microsoft. These system(s) may lack essential security patches addressing known vulnerabilities, effectively rendering them more susceptible to exploitation by attackers. Additionally, the absence of updates can result in compatibility issues with modern security tools and software, further diminishing the system(s)’ defenses. Vulnerabilities on outdated systems can often be exploited in attacks, such as malware distribution, data exfiltration, and unauthorized access.

Security Impact:

  • If exploited, an outdated Microsoft Windows system could allow an attacker to gain unauthorized access to the affected system(s), exposing sensitive data and resources. Furthermore, due to the potential similarity in configurations among system(s) within the same network, an attacker may utilize the compromised system(s) as a launching point to move laterally, compromising additional system(s) and increasing the overall footprint of the breach.

Recommendation:

  • It is strongly recommended to replace outdated versions of Microsoft Windows with current operating system(s) that are still supported by the manufacturer. This should include conducting a thorough inventory of all system(s) to identify and prioritize outdated versions, followed by implementing a phased upgrade strategy. Regularly verify that all system(s) are receiving the latest updates and patches to maintain security integrity.

4. IPv6 DNS Spoofing

CVSS3: 10.0

% of occurrence: 49.9%

What is it:

  • The risk of IPv6 DNS spoofing arises from the possible introduction of a rogue DHCPv6 server within the internal network infrastructure. Due to the preference of Microsoft Windows systems for IPv6 over IPv4, IPv6-capable clients are inclined to obtain their IP address configurations from any available DHCPv6 server.

Security Impact:

  • The deployment of a rogue DHCPv6 server allows an attacker to manipulate DNS requests by redirecting IPv6-enabled clients to utilize the attacker’s system as their DNS server. This capability can lead to serious consequences, such as the unauthorized capture of sensitive data, including user credentials. When all DNS queries resolve to the attacker’s server, the victim’s system may inadvertently communicate with malicious services operating on the attacker’s infrastructure, encompassing platforms such as SMB, HTTP, RDP, and MSSQL.

Recommendation:

  • To mitigate the risks associated with IPv6 DNS spoofing, the following strategies are recommended, with emphasis on aligning each approach with organizational operations and thorough testing prior to implementation:
    • Manage Rogue DHCP at the Network Layer: Implement features such as Rogue DHCP detection, DHCP snooping, and DHCP authentication on network switches and firewalls to control unauthorized DHCP servers and lessen the likelihood of DNS spoofing attacks.
    • Prefer IPv4 over IPv6: Utilize Group Policy Objects (GPOs) or Group Policy Preferences (GPPs) to deploy registry modifications that configure Windows systems to favor IPv4 over IPv6. It is important to note that this approach will not prevent attacks from affecting non-Windows devices.
    • Disable IPv6: While not generally advisable for Microsoft Windows systems, disabling IPv6 may be considered as a last resort precaution, provided thorough testing ensures there are no significant disruptions to business operations.

3. Link-Local Multicast Name Resolution (LLMNR) Spoofing

CVSS3: 9.8

% of occurrence: 65.5%

What is it:

Link-Local Multicast Name Resolution (LLMNR) is a protocol designed for name resolution within internal network environments when traditional Domain Name System (DNS) services are either unavailable or ineffective. LLMNR acts as a fallback mechanism, facilitating the resolution of DNS names through multicast queries. The resolution process unfolds as follows:

  1. The system first queries its local host file to find a corresponding IP address for the specified DNS name.
  2. If no local entry exists, the system initiates a DNS query directed at its configured DNS server(s) to resolve the name.
  3. Should the DNS server(s) fail to provide a resolution, the system broadcasts an LLMNR query across the local network, seeking responses from other hosts.

This reliance on multicast broadcasts introduces vulnerabilities, as any active system can respond to the queries, potentially misleading the requesting system.

Security Impact:

  • The broadcasting nature of LLMNR queries allows any system on the local network to respond with its own IP address in answer to a resolution request. Malicious actors can exploit this by sending crafted responses containing the attacker’s system’s address. This capability opens avenues for significant security breaches, particularly if the query is tied to sensitive services such as SMB, MSSQL, or HTTP. Successful redirection can facilitate the capture of sensitive information including plaintext and hashed account credentials. It is pertinent to note that hashed credentials can be subjected to modern brute-force attacks, thereby compromising account security.

Recommendation:

  • To mitigate the risks associated with LLMNR spoofing, it is critical to disable LLMNR functionality across affected systems. This can be accomplished through the following methods:
    • Group Policy Configuration: Navigate to Computer ConfigurationAdministrative TemplatesNetworkDNS Client and set ‘Turn off Multicast Name Resolution’ to Enabled. For administering configurations on a Windows Server 2003 domain controller, utilize the Remote Server Administration Tools for Windows 7 available at this link.
    • Registry Modification for Windows Vista/7/10 Home Edition: Access the registry at HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTDNSClient and modify the ‘EnableMulticast’ key to 0 or remove it to disable the feature.

2. NetBIOS Name Service (NBNS) Spoofing

CVSS3: 9.8

% of occurrence: 73.3%

What it is:

The NetBIOS Name Service (NBNS) is a protocol utilized by workstations within an internal network to resolve domain names when a DNS server is unavailable or unresponsive. When a system attempts to resolve a DNS name, it follows these steps:

  1. The system first checks its local host file for an entry mapping the DNS name to an IP address.
  2. If no local mapping exists, the system sends a DNS query to its configured DNS server(s) in an attempt to retrieve the corresponding IP address.
  3. If the DNS server(s) cannot resolve the name, the system broadcasts an NBNS query across the local network, soliciting responses from other systems.

This dependency on broadcasts makes the NBNS vulnerable to spoofing attacks, wherein an attacker can respond with a false IP address.

Security Impact:

  • The broadcasting nature of NBNS queries means that any system on the local network can respond. This vulnerability can be exploited by malicious actors who may answer these queries with the IP address of the attacker’s system, redirecting traffic intended for legitimate services. For instance, services such as SMB, MSSQL, or HTTP could inadvertently send sensitive data, including cleartext or hashed account credentials, to the attacker’s system. Moreover, modern computational capabilities can facilitate the cracking of hashed credentials, potentially allowing unauthorized access to user accounts.

Recommendation:

  • To mitigate the risk of NBNS spoofing, it is advisable to disable the NetBIOS service across all hosts within the internal network. This can be accomplished through a variety of methods including configuration of DHCP options, adjustments to network adapter settings, or modifications to the system registry. Implementing these changes will significantly reduce the potential attack surface associated with NBNS.

1. Multicast DNS (mDNS) Spoofing

CVSS3: 9.8

% of occurrence: 78.2%

What it is:

Multicast DNS (mDNS) serves as a name resolution protocol for local networks, facilitating the resolution of domain names when a dedicated DNS server is unavailable. The resolution process occurs in stages:

  1. The system first consults its local host file for any appropriate DNS name/IP address mappings.
  2. In the absence of a configured DNS server, the system resorts to mDNS, broadcasting an IP multicast query requesting identification from the host corresponding to the DNS name. This protocol behavior exposes a potential vulnerability that malicious actors can exploit, enabling them to impersonate legitimate systems by responding to these queries.

Security Impact:

  • mDNS queries, which are transmitted across the local subnet, can be answered by any device capable of receiving them. This vulnerability allows an attacker to respond with their system’s IP address, potentially misleading the querying system. Such exploitation may lead to interception of sensitive information, including unencrypted and hashed credentials, depending on the specific service the victim is trying to access (e.g., SMB, MSSQL, HTTP). It should be noted that hashed credentials can often be compromised within a relatively short timeframe using contemporary computing resources and brute-force attack methodologies.

Recommendation:

  • To mitigate the risk of mDNS spoofing, the primary recommendation is to completely disable mDNS if it is not in use. On Windows systems, this can often be done by implementing the ‘Disable Multicast Name Resolution’ group policy. As many applications have the potential to reintroduce mDNS functionality, an alternative strategy is to block UDP port 5353 via the Windows firewall. For non-Windows systems, disabling services such as Apple Bonjour or avahi-daemon can provide similar protection.
  • It is important to note that disabling mDNS may disrupt functionalities such as screen casting and certain conference room technologies. Should complete disabling not be feasible, consider isolating affected systems within a controlled network segment and mandating the use of strong, complex passwords for any accounts that access these systems.

What Pentesting Reveals About Security Gaps

After analyzing tens of thousands of network assessments, one thing is clear—many security gaps aren’t the result of advanced hacking techniques but simple, avoidable mistakes. Weak passwords, forgotten misconfigurations, and unpatched systems create easy opportunities for attackers. These aren’t once-in-a-lifetime vulnerabilities. They’re recurring problems that show up in networks of all sizes, year after year.

Pentesting is like stress-testing your security before a real attacker does. It reveals how someone could break in, move around, and escalate privileges using the same tactics real-world attackers rely on. Time and again, assessments prove that even companies with strong defenses often have hidden weaknesses waiting to be exploited.

The problem? Most organizations still rely on annual pentests for compliance, leaving months of blind spots in between. That’s where vPenTest from Vonahi Security comes in. It delivers automated, on-demand network pentesting, so instead of waiting for an audit to tell you what went wrong, you can find and fix exploitable vulnerabilities year-round.

Cyber threats aren’t slowing down, so security testing shouldn’t either. Whether done manually or through automation, regular network pentesting is the key to staying ahead of attackers—not just checking a box for compliance. Want to explore vPenTest and see the power of automated network pentesting for yourself? Schedule a free demo of vPenTest!

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related News

China-Linked APT Aquatic Panda: 10-Month Campaign, 7 Global Targets, 5 Malware Families China-Linked APT Aquatic Panda: 10-Month Campaign, 7 Global Targets, 5 Malware Families

China-Linked APT Aquatic Panda: 10-Month Campaign, 7 Global Targets, 5 Malware Families

Kaspersky Links Head Mare to Twelve, Targeting Russian Entities via Shared C2 Servers Kaspersky Links Head Mare to Twelve, Targeting Russian Entities via Shared C2 Servers

Kaspersky Links Head Mare to Twelve, Targeting Russian Entities via Shared C2 Servers

Ongoing Cyber Attacks Exploit Critical Vulnerabilities in Cisco Smart Licensing Utility Ongoing Cyber Attacks Exploit Critical Vulnerabilities in Cisco Smart Licensing Utility

Ongoing Cyber Attacks Exploit Critical Vulnerabilities in Cisco Smart Licensing Utility

How to Protect Your Business from Cyber Threats: Mastering the Shared Responsibility Model How to Protect Your Business from Cyber Threats: Mastering the Shared Responsibility Model

How to Protect Your Business from Cyber Threats: Mastering the Shared Responsibility Model

You may have missed

The Magnificent 7’s lousy year, by the numbers The Magnificent 7's lousy year, by the numbers

The Magnificent 7’s lousy year, by the numbers

Vivo Y39 5G Likely to Launch in India Soon; Price, Key Features Leaked Vivo Y39 5G Likely to Launch in India Soon; Price, Key Features Leaked

Vivo Y39 5G Likely to Launch in India Soon; Price, Key Features Leaked

WhatsApp Could Soon Bring AI Rewrite and Meta AI Calls Features WhatsApp Could Soon Bring AI Rewrite and Meta AI Calls Features

WhatsApp Could Soon Bring AI Rewrite and Meta AI Calls Features

‘Made in India’ Smartphone Shipments Grew 6 Percent YoY in 2024 ‘Made in India’ Smartphone Shipments Grew 6 Percent YoY in 2024

‘Made in India’ Smartphone Shipments Grew 6 Percent YoY in 2024

OpenAI’s New Audio Models in API Can Be Used to Build Speaking AI Agents OpenAI’s New Audio Models in API Can Be Used to Build Speaking AI Agents

OpenAI’s New Audio Models in API Can Be Used to Build Speaking AI Agents

Samsung Galaxy S25 Edge India Launch Timeline Tipped Samsung Galaxy S25 Edge India Launch Timeline Tipped

Samsung Galaxy S25 Edge India Launch Timeline Tipped