CMI Management Inc.: More than 70,000 US Army files were exposed ‘for over a year’ even after CISA warning – sensitive personnel info and base schematics stored in vulnerable Open Directory Listing

US Military Data Leak Exposes 70,000 Files via Unsecured Directory

In April 2026, researchers at Cybernews uncovered a leaky directory containing over 70,000 sensitive files related to US military personnel, contractors, and internal base infrastructure. The exposed dataset, belonging to government contractor CMI Management Inc. (a subsidiary of Dexterra Group), included maintenance records, staff emails, internal photos of military bases, and schematics some of which could enable threat actors to map vulnerabilities in secure facilities.

The vulnerability stemmed from an Open Directory Listing flaw, allowing unrestricted access to the files. Despite being notified by security researcher Arkadeep Roy in 2024, the directory remained exposed for over a year, with Cybernews confirming its active leak as recently as March 2026. The firm reported the issue to CISA and CMI Management on 18 March 2026, though no immediate response was received.

The breach poses significant risks, including phishing, impersonation, and unauthorized access to military installations. The exposure of base schematics and internal imagery could further aid adversaries in identifying structural or security weaknesses. Cybernews researchers noted that the incident highlights persistent gaps in securing sensitive military data, even after authorities are alerted.

The leak follows a March 2026 CISA alert on hardening endpoint systems, issued in response to the Stryker Corporation cyberattack. CMI Management, which provides facility services to government agencies, has not publicly addressed the breach.

Source: https://www.techradar.com/pro/security/more-than-70-000-us-army-files-were-exposed-for-over-a-year-even-after-cisa-warning-sensitive-personnel-info-and-base-schematics-stored-in-vulnerable-open-directory-listing

CMI Management cybersecurity rating report: https://www.rankiteo.com/company/cmi-management

"id": "CMI1778163944",
"linkid": "cmi-management",
"type": "Breach",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'customers_affected': 'US military personnel, '
                                              'contractors, and internal base '
                                              'infrastructure',
                        'industry': 'Defense/Facility Services',
                        'location': 'United States',
                        'name': 'CMI Management Inc. (Dexterra Group '
                                'subsidiary)',
                        'type': 'Government Contractor'}],
 'attack_vector': 'Open Directory Listing flaw',
 'data_breach': {'number_of_records_exposed': '70,000 files',
                 'personally_identifiable_information': 'Staff emails, '
                                                        'personnel data',
                 'sensitivity_of_data': 'High (military and personnel-related)',
                 'type_of_data_compromised': ['Maintenance records',
                                              'Staff emails',
                                              'Internal photos of military '
                                              'bases',
                                              'Schematics']},
 'date_detected': '2026-04',
 'date_publicly_disclosed': '2026-04',
 'description': 'Researchers at Cybernews uncovered a leaky directory '
                'containing over 70,000 sensitive files related to US military '
                'personnel, contractors, and internal base infrastructure. The '
                'exposed dataset included maintenance records, staff emails, '
                'internal photos of military bases, and schematics that could '
                'enable threat actors to map vulnerabilities in secure '
                'facilities. The vulnerability stemmed from an Open Directory '
                'Listing flaw, and the directory remained exposed for over a '
                'year despite prior notification.',
 'impact': {'brand_reputation_impact': 'Potential damage to CMI Management '
                                       'Inc. and US military',
            'data_compromised': '70,000 files',
            'identity_theft_risk': 'High (exposure of staff emails and '
                                   'personnel data)',
            'operational_impact': 'Risk of phishing, impersonation, and '
                                  'unauthorized access to military '
                                  'installations',
            'systems_affected': 'Unsecured directory'},
 'investigation_status': 'Ongoing',
 'lessons_learned': 'Highlights persistent gaps in securing sensitive military '
                    'data, even after authorities are alerted.',
 'post_incident_analysis': {'root_causes': 'Open Directory Listing flaw, '
                                           'delayed remediation despite prior '
                                           'notification'},
 'recommendations': 'Immediate remediation of unsecured directories, enhanced '
                    'monitoring, and stricter access controls for sensitive '
                    'military data.',
 'references': [{'date_accessed': '2026-04', 'source': 'Cybernews'}],
 'regulatory_compliance': {'regulatory_notifications': 'Reported to CISA'},
 'response': {'communication_strategy': 'No public response from CMI '
                                        'Management'},
 'stakeholder_advisories': 'CISA alert on hardening endpoint systems (March '
                           '2026)',
 'title': 'US Military Data Leak Exposes 70,000 Files via Unsecured Directory',
 'type': 'Data Leak',
 'vulnerability_exploited': 'Unsecured directory with unrestricted access'}