Your risk exceeds acceptable thresholds. Bullium Consulting can help you prioritize remediation and reduce your attack surface.
Schedule a Professional ReviewThis assessment was conducted using the Bullium Consulting netvuln-tool v4.1.0, a modular network reconnaissance and vulnerability assessment framework.
Phases Executed: discovery, enumeration, vuln, report
Tools Used: nmap, dig, whois, openssl, curl, smbclient, snmpwalk
Assessment Workflow:
Each finding is assigned a severity level using a three-tier approach:
| CVSS Score | Severity | Description |
|---|---|---|
| 9.0 – 10.0 | Critical | Exploitable vulnerabilities with maximum impact |
| 7.0 – 8.9 | High | Significant vulnerabilities requiring prompt action |
| 4.0 – 6.9 | Medium | Moderate issues that should be addressed |
| 0.1 – 3.9 | Low | Minor issues with limited impact |
| 0.0 / N/A | Info | Informational findings, no direct risk |
The overall risk score is computed from finding counts weighted by severity, plus bonuses for high-risk exposed services:
Score = (Critical × 25) + (High × 15) + (Medium × 5) + (Low × 1) + Port Bonuses
| Component | Points | Examples |
|---|---|---|
| Critical finding | 25 each | RCE, default credentials, SQL injection |
| High finding | 15 each | Weak SSL/TLS, SMB null sessions, anonymous FTP |
| Medium finding | 5 each | Missing headers, outdated software, weak SSH |
| Low finding | 1 each | Banner disclosure, minor config issues |
| Cleartext service | +10 each | Telnet (23), FTP (21) |
| Management port | +8 each | RDP (3389), VNC (5900), MySQL (3306), PostgreSQL (5432), SQL Server (1433), MongoDB (27017), Redis (6379) |
The score is capped at 100. A score of 0 indicates no findings or risks detected.
| Grade | Score Range | Rating |
|---|---|---|
| A | 0 – 20 | Excellent, Minimal risk exposure |
| B | 21 – 40 | Good, Low risk, minor issues |
| C | 41 – 60 | Fair, Moderate risk, action recommended |
| D | 61 – 80 | Poor, Significant risk, remediation needed |
| F | 81 – 100 | Critical, Severe exposure, immediate action required |
Each remediation item is classified by the level of expertise required to implement the fix:
| Difficulty | Definition | Examples |
|---|---|---|
| self-service | Can be resolved by your internal team without specialized security expertise | Configuration changes, software updates, header additions |
| professional | Requires specialized security expertise or vendor engagement to resolve | Architecture redesign, custom security controls, vendor coordination |
When multiple scans of the same target exist, the current score is compared to the most recent prior scan to determine trend direction: Improving (score decreased), Worsening (score increased), or Stable (no change).
| ID â–² | Severity â–² | Host â–² | Port â–² | Finding â–² | Description |
|---|---|---|---|---|---|
| F016 | critical | 10.0.0.10 | 8080 | SQL Injection in Production Web Application | The Apache Tomcat application on the production web server is vulnerable to SQL injection via the 'id' parameter on the /api/products endpoint. An attacker can extract, modify, or delete database contents and potentially achieve remote code execution through stacked queries. |
| F051 | critical | 10.0.0.40 | 445 | SMBv1 Enabled, EternalBlue Vulnerable | The file server has SMBv1 protocol enabled, which is vulnerable to the EternalBlue exploit (MS17-010). This allows remote code execution without authentication and was the attack vector used by the WannaCry and NotPetya ransomware campaigns. |
| F079 | critical | 10.0.0.70 | 80 | Default Administrator Credentials on Printer Web Interface | The HP printer embedded web server is accessible with default administrator credentials (admin/admin). This allows full control of the printer including firmware updates, network configuration changes, and access to stored print jobs which may contain sensitive documents. |
| F011 | high | 10.0.0.10 | 443 | Outdated TLS 1.0 Protocol Supported | The web server supports TLS 1.0, which has known cryptographic weaknesses and is deprecated by IETF RFC 8996. PCI DSS requires disabling TLS 1.0. |
| F022 | high | 10.0.0.11 | 443 | Outdated TLS 1.1 Protocol Supported | The staging web server supports TLS 1.1, which has known cryptographic weaknesses and is deprecated by IETF RFC 8996. |
| F028 | high | 10.0.0.1 | 22 | Weak SSH Key Exchange and Cipher Algorithms | The firewall SSH service supports weak key exchange algorithms (diffie-hellman-group1-sha1) and ciphers (3des-cbc, arcfour) which are considered cryptographically weak and susceptible to downgrade attacks. |
| F035 | high | 10.0.0.20 | 3306 | MySQL Port Exposed to Network Without IP Restrictions | The MySQL database on the production server is listening on all interfaces (0.0.0.0) on port 3306 without firewall restrictions. This exposes the database to brute-force attacks and potential unauthorized access from any host on the network. |
| F058 | high | 10.0.0.50 | 25 | Unencrypted SMTP Relay Accepts External Connections | The mail server accepts SMTP connections on port 25 without requiring STARTTLS encryption and allows relay from internal network addresses without authentication. This can be exploited for spam relay and email spoofing. |
| F062 | high | 10.0.0.5 | 389 | LDAP Signing Not Required on Domain Controller | The domain controller does not require LDAP signing, which allows man-in-the-middle attacks to intercept and modify LDAP traffic. This can lead to credential theft and unauthorized directory modifications. |
| F073 | high | 10.0.0.60 | 443 | VPN Split Tunneling Misconfiguration | The OpenVPN Access Server is configured with split tunneling enabled, allowing VPN clients to access both the corporate network and the internet simultaneously. This bypasses network security controls and can be used as a pivot point for attacks. |
| F074 | high | 10.0.0.6 | 445 | Missing Critical Security Patches (MS17-010 Variant) | The backup domain controller running Windows Server 2016 is missing critical security patches including MS17-010 variants. The system appears to be several patch cycles behind, exposing it to known remote code execution vulnerabilities. |
| F004 | medium | 10.0.0.100 | 3389 | RDP Without Network Level Authentication (NLA) | The admin workstation allows RDP connections without requiring Network Level Authentication, making it susceptible to man-in-the-middle attacks and brute-force attempts at the login screen level. |
| F006 | medium | 10.0.0.10 | 443 | Missing Content-Security-Policy Header | The web server does not implement a Content-Security-Policy header, increasing risk of cross-site scripting and data injection attacks. |
| F007 | medium | 10.0.0.10 | 443 | Missing Referrer-Policy Header | The web server does not set a Referrer-Policy header, potentially leaking sensitive URL information to third-party sites. |
| F008 | medium | 10.0.0.10 | 443 | Missing X-Content-Type-Options Header | The web server does not set the X-Content-Type-Options header, allowing browsers to MIME-sniff responses which could lead to XSS attacks. |
| F009 | medium | 10.0.0.10 | 443 | Missing X-Frame-Options Header | The web server does not set the X-Frame-Options header, making it potentially vulnerable to clickjacking attacks. |
| F012 | medium | 10.0.0.10 | 443 | Self-Signed SSL Certificate | The production web server uses a self-signed SSL certificate, which is not trusted by browsers and vulnerable to man-in-the-middle attacks. |
| F017 | medium | 10.0.0.10 | 8080 | Tomcat Manager Application Accessible | The Apache Tomcat Manager application is accessible on the production web server. |
| F020 | medium | 10.0.0.11 | 443 | Missing Content-Security-Policy Header | The staging web server does not implement a Content-Security-Policy header. |
| F021 | medium | 10.0.0.11 | 443 | Missing X-Frame-Options Header | The staging web server does not set the X-Frame-Options header. |
| F023 | medium | 10.0.0.11 | 443 | Self-Signed SSL Certificate | The staging web server uses a self-signed SSL certificate. |
| F031 | medium | 10.0.0.1 | 8443 | Firewall Management Interface on Non-Segmented Network | The pfSense firewall management interface is accessible from the general network on port 8443. Management interfaces should be restricted to a dedicated management VLAN. |
| F034 | medium | 10.0.0.20 | 1433 | SQL Server with Weak SA Password Policy | The SQL Server instance has the SA account enabled with password policy enforcement disabled, increasing risk of brute-force attacks. |
| F042 | medium | 10.0.0.30 | 8080 | Tomcat Manager Application Accessible | The Apache Tomcat Manager application is accessible at /manager/html on app-01, which could allow deployment of malicious applications if credentials are compromised. |
| F043 | medium | 10.0.0.30 | 8443 | Self-Signed SSL Certificate | The application server uses a self-signed SSL certificate. |
12 remediations identified, track your progress as you resolve each item.
nmap --script smb-vuln-ms17-010 -p 445 10.0.0.40
curl -s -o /dev/null -w '%{http_code}' -u admin:admin http://10.0.0.70/hp/device/SignIn/Index
sqlmap -u 'http://10.0.0.10:8080/api/products?id=1' --batch --level=3
nmap --script smb-vuln-ms17-010 -p 445 10.0.0.6
nmap --script ssl-enum-ciphers -p 443 {host}
ldapsearch -x -H ldap://10.0.0.5 -b 'dc=acme,dc=local' 2>&1 | grep -i 'strong auth'
nmap -p 3306 10.0.0.20 --reason
ssh -vv 10.0.0.1 2>&1 | grep -i 'kex\|cipher'
echo 'EHLO test' | openssl s_client -connect 10.0.0.50:25 -starttls smtp 2>/dev/null | grep -i tls
openvpn --config client.ovpn && ip route | grep -i default
traceroute 10.0.0.70 (should show firewall hop if segmented)
curl -sI https://{host} | grep -iE 'x-frame|x-content|referrer|content-security'
Vulnerability findings mapped to industry compliance frameworks. Gap analysis shows controls without associated findings.
| Framework | Control ID | Control Name | Findings | Status |
|---|---|---|---|---|
| CIS | 13.4 | Perform Traffic Filtering Between Network Zones | F031 | |
| CIS | 16.11 | Use Standard Hardening Configurations for Application Infrastructure | F016 | |
| CIS | 18.3 | Remediate Penetration Test Findings | F013, F014, F024, F036, F038, F041, F045, F072, F080, F086 | |
| CIS | 3.10 | Encrypt Sensitive Data in Transit | F011, F012, F022, F023, F043, F047, F053, F054, F058, F078, F083 | |
| CIS | 3.4 | Enforce Data Retention | F035 | |
| CIS | 4.8 | Uninstall or Disable Unnecessary Services | F003, F004, F008, F009, F010, F015, F018, F021, F025, F026, F030, F032, F033, F037, F039, F040, F044, F049, F050, F051, F052, F055, F059, F060, F061, F063, F064, F066, F067, F069, F070, F071, F074, F075, F076, F077, F081, F082, F084, F087 | Exception |
| CIS | 5.2 | Use Unique Passwords | F028 | |
| NIST | PR.AC-3 | Remote access is managed | F004, F028, F052, F081, F087 | Exception |
| NIST | PR.AC-5 | Network integrity is protected | F031 | |
| NIST | PR.DS-1 | Data-at-rest is protected | F035 | |
| NIST | PR.DS-2 | Data-in-transit is protected | F011, F012, F022, F023, F043, F047, F053, F054, F058, F066, F076, F078, F083 | |
| NIST | PR.IP-1 | Configuration baselines | F003, F008, F009, F010, F013, F014, F015, F016, F018, F021, F024, F025, F026, F030, F032, F033, F036, F037, F038, F039, F040, F041, F044, F045, F049, F050, F051, F055, F059, F060, F061, F063, F064, F067, F069, F070, F071, F072, F074, F075, F077, F080, F082, F084, F086 | Exception |
| PCI | 1.3.3 | Restrict inbound and outbound traffic | F031, F066, F076 | |
| PCI | 2.2.4 | Only necessary services, protocols enabled | F003, F010, F015, F018, F025, F026, F030, F032, F033, F037, F039, F040, F044, F049, F050, F051, F052, F055, F059, F060, F061, F063, F064, F067, F069, F070, F071, F074, F075, F077, F081, F082, F084, F087 | Exception |
| PCI | 2.2.7 | All non-console admin access encrypted | F004, F028, F053, F054, F058 | Exception |
| PCI | 4.2.1 | Strong cryptography for transmission | F011, F012, F022, F023, F043, F047, F078, F083 | |
| PCI | 6.2.4 | Manage software vulnerabilities | F035 | |
| PCI | 6.5.1 | Injection flaws | F016 | |
| PCI | 6.5.10 | Broken authentication and session management | F008, F009, F021 | Exception |
| PCI | 6.5.6 | Information leakage | F013, F014, F024, F036, F038, F041, F045, F072, F080, F086 | |
| SOC | CC6.1 | Logical access security | F004, F013, F014, F024, F028, F035, F036, F038, F041, F045, F051, F052, F072, F074, F080, F081, F086, F087 | Exception |
| SOC | CC6.6 | Restrict external access | F031, F066, F076 | |
| SOC | CC6.7 | Restrict transmission, movement, and removal | F011, F022, F053, F054, F058, F083 | |
| SOC | CC7.1 | Detect and act on infrastructure changes | F016 |
OS: Linux 4.15 - 5.19 (96%)
Open Ports: 3
MAC Address: 00:1A:2B:3C:4D:01
| Port | Protocol | State | Service | Version |
|---|---|---|---|---|
| 22 | tcp | open | ssh | OpenSSH 8.9p1 (protocol 2.0) |
| 443 | tcp | open | ssl/http | nginx 1.24.0 |
| 8443 | tcp | open | ssl/https-alt | pfSense webConfigurator |
OS: Windows Server 2019 (95%)
Open Ports: 6
MAC Address: 00:1A:2B:3C:4D:05
| Port | Protocol | State | Service | Version |
|---|---|---|---|---|
| 53 | tcp | open | domain | Microsoft DNS 10.0.17763 |
| 88 | tcp | open | kerberos-sec | Microsoft Windows Kerberos |
| 135 | tcp | open | msrpc | Microsoft Windows RPC |
| 389 | tcp | open | ldap | Microsoft Windows Active Directory LDAP |
| 445 | tcp | open | microsoft-ds | Windows Server 2019 Standard 17763 |
| 636 | tcp | open | ssl/ldap | Microsoft Windows Active Directory LDAP |
OS: Windows Server 2016 (93%)
Open Ports: 5
MAC Address: 00:1A:2B:3C:4D:06
| Port | Protocol | State | Service | Version |
|---|---|---|---|---|
| 53 | tcp | open | domain | Microsoft DNS 10.0.14393 |
| 88 | tcp | open | kerberos-sec | Microsoft Windows Kerberos |
| 135 | tcp | open | msrpc | Microsoft Windows RPC |
| 389 | tcp | open | ldap | Microsoft Windows Active Directory LDAP |
| 445 | tcp | open | microsoft-ds | Windows Server 2016 Standard 14393 |
OS: Linux 5.4 - 5.15 (97%)
Open Ports: 3
MAC Address: 00:1A:2B:3C:4D:10
| Port | Protocol | State | Service | Version |
|---|---|---|---|---|
| 80 | tcp | open | http | Apache httpd 2.4.52 |
| 443 | tcp | open | ssl/http | Apache httpd 2.4.52 |
| 8080 | tcp | open | http | Apache Tomcat 9.0.65 |
OS: Linux 5.4 - 5.15 (96%)
Open Ports: 2
MAC Address: 00:1A:2B:3C:4D:11
| Port | Protocol | State | Service | Version |
|---|---|---|---|---|
| 80 | tcp | open | http | nginx 1.22.1 |
| 443 | tcp | open | ssl/http | nginx 1.22.1 |
OS: Linux 5.4 - 5.15 (95%)
Open Ports: 2
MAC Address: 00:1A:2B:3C:4D:20
| Port | Protocol | State | Service | Version |
|---|---|---|---|---|
| 1433 | tcp | open | ms-sql-s | Microsoft SQL Server 2019 15.00.4298 |
| 3306 | tcp | open | mysql | MySQL 8.0.32 |
OS: Linux 5.4 - 5.15 (95%)
Open Ports: 1
MAC Address: 00:1A:2B:3C:4D:21
| Port | Protocol | State | Service | Version |
|---|---|---|---|---|
| 3306 | tcp | open | mysql | MySQL 8.0.32 |
OS: Linux 5.4 - 5.15 (96%)
Open Ports: 2
MAC Address: 00:1A:2B:3C:4D:30
| Port | Protocol | State | Service | Version |
|---|---|---|---|---|
| 8080 | tcp | open | http | Apache Tomcat 9.0.65 |
| 8443 | tcp | open | ssl/https-alt | Apache Tomcat 9.0.65 |
OS: Linux 5.4 - 5.15 (96%)
Open Ports: 2
MAC Address: 00:1A:2B:3C:4D:31
| Port | Protocol | State | Service | Version |
|---|---|---|---|---|
| 8080 | tcp | open | http | Apache Tomcat 9.0.65 |
| 8443 | tcp | open | ssl/https-alt | Apache Tomcat 9.0.65 |
OS: Windows Server 2016 (94%)
Open Ports: 3
MAC Address: 00:1A:2B:3C:4D:40
| Port | Protocol | State | Service | Version |
|---|---|---|---|---|
| 139 | tcp | open | netbios-ssn | Microsoft Windows netbios-ssn |
| 445 | tcp | open | microsoft-ds | Windows Server 2016 Standard 14393 |
| 2049 | tcp | open | nfs | 3-4 (RPC #100003) |
OS: Linux 5.4 - 5.15 (95%)
Open Ports: 6
MAC Address: 00:1A:2B:3C:4D:50
| Port | Protocol | State | Service | Version |
|---|---|---|---|---|
| 25 | tcp | open | smtp | Postfix smtpd |
| 110 | tcp | open | pop3 | Dovecot pop3d |
| 143 | tcp | open | imap | Dovecot imapd 2.3.19 |
| 465 | tcp | open | ssl/smtp | Postfix smtpd |
| 587 | tcp | open | smtp | Postfix smtpd |
| 993 | tcp | open | ssl/imap | Dovecot imapd 2.3.19 |
OS: Linux 4.15 - 5.19 (94%)
Open Ports: 3
MAC Address: 00:1A:2B:3C:4D:60
| Port | Protocol | State | Service | Version |
|---|---|---|---|---|
| 443 | tcp | open | ssl/http | OpenVPN AS 2.11.3 |
| 500 | tcp | open | isakmp | |
| 1194 | tcp | open | openvpn | OpenVPN |
OS: HP printer (98%)
Open Ports: 4
MAC Address: 00:1A:2B:3C:4D:70
| Port | Protocol | State | Service | Version |
|---|---|---|---|---|
| 80 | tcp | open | http | HP Embedded Web Server |
| 443 | tcp | open | ssl/http | HP Embedded Web Server |
| 9100 | tcp | open | jetdirect | HP JetDirect |
| 515 | tcp | open | printer | HP LPD |
OS: Linux 4.4 - 4.19 (92%)
Open Ports: 3
MAC Address: 00:1A:2B:3C:4D:80
| Port | Protocol | State | Service | Version |
|---|---|---|---|---|
| 80 | tcp | open | http | Hikvision DS NVR httpd |
| 443 | tcp | open | ssl/http | Hikvision DS NVR httpd |
| 554 | tcp | open | rtsp | Hikvision DS NVR rtspd |
OS: Windows 10 Pro 22H2 (97%)
Open Ports: 2
MAC Address: 00:1A:2B:3C:4D:A0
| Port | Protocol | State | Service | Version |
|---|---|---|---|---|
| 22 | tcp | open | ssh | OpenSSH for Windows 9.5 (protocol 2.0) |
| 3389 | tcp | open | ms-wbt-server | Microsoft Terminal Services |
Book a consultation with Bullium Consulting engineers to review your findings and build a remediation plan.