- Leaked directory containing US military data discovered in 2024
- Cybernews received information regarding the directory and launched an investigation
- Leaked directory remained accessible despite CISA notification
A directory containing more than 70,000 files relating to military personnel files, contractor files and images taken at military bases has been discovered.
Researchers from Cybernews were informed of the leaked directory and investigated its contents.
Although the Cybersecurity and Infrastructure Security Agency (CISA) was notified by security researcher Arkadeep Roy in 2024, the dataset remained exposed and actively leaking in April 2026.
Exposed schematics and personal files
Cybernews discovered that the dataset was exposed via an Open Directory list vulnerability. The directory also lacked sufficient security controls. It turned out that the directory belonged to CMI Management Inc., a U.S. government contractor that is part of the Dexterra Group.
According to the CMI Management website, the company specializes in providing services related to government facilities. The website states: “Over the years, CMI has successfully managed a wide range of government facilities, from training centers to critical operations. »
The files were initially discovered in 2024 and CISA was notified the same year. On March 16, 2026, Cybernews was informed of the exposed database and launched an investigation the next day. Cybernews confirmed the directory leak and reported it to CMI Management and CISA on March 18, 2026.
Cybernews has shared a number of examples of images that have been heavily redacted to censor private information. Images include maintenance forms, emails between staff, and photos of internal infrastructure. Cybernews alerted CMI management of the directory leak but did not immediately receive a response.
Leaking sensitive personnel and contractor information could expose current and former U.S. military personnel to phishing or identity theft attempts, or personnel details could be used to gain unauthorized access to military installations.
The leak of internal photos and base diagrams of U.S. military bases is particularly concerning, as they could be used by malicious actors to create detailed maps of U.S. military bases and identify weak points in their structure and security.
“The data leak is concerning because sensitive U.S. military data was stored insecurely for more than a year, even after CISA was reportedly notified. This means that even when it comes to the military and its installations, it is all too common to find data stored insecurely, and remediation efforts are not prioritized even after notifying the appropriate authorities,” the Cybernews research team said.
Following the Stryker Corporation cyberattack, CISA issued an alert in March 2026 with guidance on how organizations should harden endpoint management system configurations to defend against malicious cyber activity.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
