US military data exposed in leaky directory despite CISA notification

A directory containing over 70,000 files related to US military personnel, contractor records, and images from inside military bases has been discovered to be publicly accessible. The leaky directory remained exposed even after the Cybersecurity and Infrastructure Security Agency (CISA) was notified in 2024, as reported by Tech Radar.

The exposed data, belonging to US government contractor CMI Management Inc., was found via an open directory listing vulnerability following a tip to Cybernews. Files included schematics, personnel records, maintenance forms, emails, and internal photos of military bases. This leak poses significant risks, including potential phishing and impersonation attempts against military personnel, and could provide threat actors with detailed information about military base layouts and security vulnerabilities.

Despite CISA being alerted by security research Arkadeep Roy in 2024, the data remained accessible as of March 2026. This incident follows a recent CISA alert urging organizations to harden endpoint management systems following a cyberattack against a US organization.

Source: Tech Radar