CMI Management, a government contractor providing facility management for US Army installations, exposed tens of thousands of sensitive files through an unsecured open directory. The data remained accessible even after security researchers reported it to US-CERT.
The exposure was discovered on 16 March 2026 when a tip from independent security researcher Arkadeep Roy reached the Cybernews research team. Roy said he had already notified the US Computer Emergency Readiness Team (US-CERT), but the directory was still open at the time of the Cybernews investigation.
At least 70,000 files were accessible, drawn from a dataset that was being updated in real time. The vulnerability was an Open Directory Listing misconfiguration with no access controls on the exposed documents. Cybernews researchers traced the directory to CMI Management Inc., a long-standing US government contractor.
The exposed data covers material that would be useful to actors attempting to build detailed intelligence on US military sites. It includes photographs taken inside military bases, maintenance work orders, building schematics, and personally identifiable information for both military personnel and contractors. Structural schematics are particularly sensitive because they can reveal information that is not visible from aerial or satellite imagery.
The risk extends beyond physical infrastructure. The PII in the dataset creates a direct path to targeted phishing campaigns and social engineering attacks against individual service members, contractors, and by extension CMI Management itself.
Cybernews has published a full technical report at cybernews.com/security/army-contractor-leaks-military-base-data-year/ covering the extent of the exposure and the timeline of the disclosure process.
