Himaja Motheram, a security researcher at threat intelligence firm Censys, added: “While attackers do exploit traditional software flaws, the bigger concern in critical infrastructure is the widespread availability of insecure, internet-facing systems that provide direct access to essential services without proper access controls.”
One of the most overlooked fundamental issues is the sheer number of critical systems, such as water treatment interfaces or medical imaging systems, that are exposed to the public internet with either no authentication or default/weak credentials, according to Sparrow’s Lei.
“In these cases, attackers don’t even need to leverage exploits; they can simply log in,” Lei explained. “The core problem isn’t just a particular class of vulnerability; it’s the systemic exposure and accessibility of sensitive systems that should never be directly reachable in the first place.”
