Hampton
Company Details
Linkedin ID:
hampton
Website:
Employees number:
11,130
Number of followers:
47,584
NAICS:
7211
Industry Type:
Homepage:
hilton.com
IP Addresses:
0
Company ID:
HAM_2425343
Scan Status:
In-progress
Hampton Company CyberSecurity Posture
hilton.com
The Hampton brand, including Hampton Inn, Hampton Inn & Suites and Hampton by Hilton, is an award-winning leader in the upper-midscale hotel segment. With more than 2,700 properties in 32 countries globally, Hampton is part of Hilton Worldwide, the leading global hospitality company. All Hampton Hotels offer warm surroundings and a friendly service culture and personality, defined as “Hamptonality,” supported by its 100% Satisfaction Guarantee. High-quality accommodations, in-room conveniences and the latest technology, combined with numerous locations and consistent offerings, have made Hampton a leader in its segment and one of the fastest growing hotel brands. For more information please visit: www.hampton.com www.hamptonfranchise.com news.hampton.com www.hiltonworldwide.com/careers/ To connect with us on social please visit: www.facebook.com/hampton www.twitter.com/hampton www.youtube.com/hampton
Hampton A.I CyberSecurity Scoring
Hampton Risk Score (AI oriented)Between 750 and 799
Hampton
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
Hampton Global Score (TPRM)XXXX
Hampton
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
Hampton Company CyberSecurity News & History
Past Incidents
4
Attack Types
1
Hilton
Breach
Rankiteo Explanation
Attack limited on finance or reputation
Description: Hilton Worldwide Holdings, a hotel group, revealed that credit card information was stolen by cybercriminals from a few of its point-of-sale systems. Executive vice president of Hilton Global Brands Jim Holthouser claims that malware compromised PoS systems, enabling hackers to obtain client information such as credit card numbers, expiration dates, security codes, and names of credit card holders. In certain point-of-sale systems, unauthorised malware that targeted credit card information has been found and removed by Hilton Worldwide. It was discovered that the data breach did not expose the customer's addresses or personal identification numbers.
Hilton Worldwide, Inc.
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: In November 2015, the California Office of the Attorney General disclosed that Hilton Worldwide suffered a **malware-driven data breach** targeting its **point-of-sale (POS) systems**. The attack compromised **payment card data** of customers who made transactions at Hilton hotels during two distinct periods: **November 18–December 5, 2014**, and **April 21–July 27, 2015**. The exposed information included **cardholder names, payment card numbers, security codes, and expiration dates**, though **addresses and PINs remained unaffected**. The breach stemmed from unauthorized malware infiltrating Hilton’s POS environment, enabling attackers to harvest sensitive financial details during transactions. While the exact number of affected customers was not specified, the prolonged exposure window heightened risks of **fraudulent card activity, identity theft, and financial losses** for victims. Hilton took remedial actions, including **enhancing payment security protocols** and collaborating with law enforcement. However, the incident underscored vulnerabilities in hospitality sector cybersecurity, particularly in safeguarding **customer financial data** against evolving malware threats. The breach did not involve ransomware or broader systemic disruptions but focused solely on **payment card exploitation** during the specified timeframes.
Hilton Hotels & Resorts
Breach
Rankiteo Explanation
Attack threatening the organization’s existence
Description: The Hilton hotel chain was accused of improperly handling two distinct cyberattacks that resulted in the exposure of its customers' financial information, and as a result, it agreed to pay Vermont and New York $700,000. According to the inquiry, thieves put denial-of-service malware on Hilton's payment systems, which would have exposed cardholders' personal information. The business is held accountable for the customers' delayed notice and is charged with having a payment method with inadequate security. Hilton will improve the security of its payment systems and internal incident response protocols as part of the settlement.
Hilton Hotels & Resorts
Breach
Rankiteo Explanation
Attack threatening the economy of a geographical region
Description: The credit card details of numerous customers were leaked after common point-of-sale registers in gift shops and restaurants at a large number of Hilton Hotel was compromised. Hilton hotel apologized to all the customers and investigated the incident with the data security team. The hotel was also fined $700K for the breach.
Hampton Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for Hampton
Incidents vs Hospitality Industry Average (This Year)
No incidents recorded for Hampton in 2025.
Incidents vs All-Companies Average (This Year)
No incidents recorded for Hampton in 2025.
Incident Types Hampton vs Hospitality Industry Avg (This Year)
No incidents recorded for Hampton in 2025.
Incident History — Hampton (X = Date, Y = Severity)
Hampton cyber incidents detection timeline including parent company and subsidiaries
Hampton Company Subsidiaries
The Hampton brand, including Hampton Inn, Hampton Inn & Suites and Hampton by Hilton, is an award-winning leader in the upper-midscale hotel segment. With more than 2,700 properties in 32 countries globally, Hampton is part of Hilton Worldwide, the leading global hospitality company. All Hampton Hotels offer warm surroundings and a friendly service culture and personality, defined as “Hamptonality,” supported by its 100% Satisfaction Guarantee. High-quality accommodations, in-room conveniences and the latest technology, combined with numerous locations and consistent offerings, have made Hampton a leader in its segment and one of the fastest growing hotel brands. For more information please visit: www.hampton.com www.hamptonfranchise.com news.hampton.com www.hiltonworldwide.com/careers/ To connect with us on social please visit: www.facebook.com/hampton www.twitter.com/hampton www.youtube.com/hampton
Loading...
Hampton Similar Companies
Stonegate Group
We’re the UK's biggest pub company, but that’s not all we are. We’re an incredible team bringing people together through our 4,500+ sites nationwide. Formed in 2010 with 333 pubs, Stonegate Group has grown bigger and better than ever, and today we’re home to well-loved sites such as Slug &
We are Accor We are more than 290,000 hospitality experts placing people at the heart of what we do, creating emotion for our guests, and nurturing passion for service and achievement beyond limits. Building on the strength of our teams and of our fully integrated ecosystem of leading brands, perso
Hilton (NYSE: HLT) is a leading global hospitality company with a portfolio of 24 world-class brands comprising more than 8,400 properties and over 1.25 million rooms, in 140 countries and territories. Dedicated to fulfilling its founding vision to fill the earth with the light and warmth of hospita
Taj Hotels
Established in 1903, Taj is The Indian Hotels Company Limited’s (IHCL) iconic brand for the world’s most discerning travellers seeking luxury and authentic experiences. Taj has been rated as India’s Strongest Brand across all sectors for an unprecedented fourth time and also as the World’s Strongest
SJM Resorts
SJM Resorts, S.A. ("SJM") is one of the six concessionaires in Macau, authorised by the Government of the Macau Special Administrative Region to operate casinos and gaming areas. SJM is also the only casino gaming concessionaire with its roots in Macau. SJM owns and operates the Grand Lisboa Palace
ITC Hotels Limited
Established in 1975, ITC Hotels Limited has grown to encompass over 140+ hotels across 90+ destinations, solidifying its presence in the Indian subcontinent ITC Hotels seamlessly blends India’s rich tradition of hospitality with globally benchmarked services, offering a collection of hotels and res
J D Wetherspoon
J D Wetherspoon is a leading pub operator in the UK and Ireland. Back in 1979, founder chairman Tim Martin opened the very first Wetherspoon – in Muswell Hill, north London. Today, Tim and the company run over 850 pubs and hotels, spread right across the UK and, more recently, Ireland. During its hi
The Country Club India Ltd
CCIL - Country Club India Ltd is one of the fastest growing entertainment and leisure conglomerate in India. A Multi-Million dollar entity and a listed company on BSE (Bombay Stock Exchange), CCIL is a pioneer in the concept of family clubbing in the country. CCIL has established 205 properties of w
Kerzner International
Kerzner International has built a diverse collection of iconic brands and luxury properties, earning international acclaim for pioneering destination-defining hospitality, delivering unrivalled service, and curating transformative guest experiences. We are renowned for creating hospitality brands
.png)
Hampton CyberSecurity News
December 04, 2025 07:59 PM
Experian details AI's increasing role in cybersecurity on Coast Live
HAMPTON ROADS, Va. — Michael Bruemmer, Vice President of Experian Global Data Breach Resolution and Consumer Protection at Experian,...
November 19, 2025 08:00 AM
Eastern Connecticut State University Officially Starts New Cybersecurity Minor
WILLIMANTIC, CT — Eastern Connecticut State University launched a new cybersecurity minor in the fall 2025 semester.
October 29, 2025 07:15 PM
The following is the announcement made by the East Hampton, New York, library:
Joseph Steinberg, author of "CyberSecurity for Dummies,” and a Columbia University lecturer on the subject, will be speaking for the East Hampton New York...
October 15, 2025 07:00 AM
Incident Response Defenses: Can You Take Advantage of a Cyber Program Safe Harbor?
We are in the final quarter of the year, which is typically budgeting and planning for many issues, including -hopefully!
October 14, 2025 03:23 PM
Joseph Steinberg To Moderate AI and Cybersecurity Panel for Columbia Business School Alumni
Next month, cybersecurity expert Joseph Steinberg will moderate panel on Artificial Intelligence for the Columbia Business School Alumni Association.
September 25, 2025 07:00 AM
Portsmouth Public Library: AI And Cybersecurity Talk Oct. 1
See the latest announcement from the Portsmouth Public Library.
September 16, 2025 07:00 AM
Don’t Fall Behind: The CMMC Final Rule to Update the DFARS is Here!
On September 10, 2025, the final rule to implement the Cybersecurity Maturity Model Certification (“CMMC”) program in the Defense Federal...
September 12, 2025 07:00 AM
Hampton Regional Medical Center Data Breach Exposes SSNs
Data breach at HRMC may have exposed names, SSNs, medical info, and more. Full impact still under review.
September 11, 2025 07:00 AM
New computer science and cybersecurity lab school gets middle schoolers involved at Oscar Smith Middle School
CHESAPEAKE, Va. (WAVY) – Old Dominion University and school divisions across the area are opening doors for students in STEM fields through...
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
Hampton CyberSecurity History Information
Official Website of Hampton
The official website of Hampton is http://www.hampton.com.
Hampton’s AI-Generated Cybersecurity Score
According to Rankiteo, Hampton’s AI-generated cybersecurity score is 790, reflecting their Fair security posture.
How many security badges does Hampton’ have ?
According to Rankiteo, Hampton currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Does Hampton have SOC 2 Type 1 certification ?
According to Rankiteo, Hampton is not certified under SOC 2 Type 1.
Does Hampton have SOC 2 Type 2 certification ?
According to Rankiteo, Hampton does not hold a SOC 2 Type 2 certification.
Does Hampton comply with GDPR ?
According to Rankiteo, Hampton is not listed as GDPR compliant.
Does Hampton have PCI DSS certification ?
According to Rankiteo, Hampton does not currently maintain PCI DSS compliance.
Does Hampton comply with HIPAA ?
According to Rankiteo, Hampton is not compliant with HIPAA regulations.
Does Hampton have ISO 27001 certification ?
According to Rankiteo,Hampton is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of Hampton
Hampton operates primarily in the Hospitality industry.
Number of Employees at Hampton
Hampton employs approximately 11,130 people worldwide.
Subsidiaries Owned by Hampton
Hampton presently has no subsidiaries across any sectors.
Hampton’s LinkedIn Followers
Hampton’s official LinkedIn profile has approximately 47,584 followers.
NAICS Classification of Hampton
Hampton is classified under the NAICS code 7211, which corresponds to Traveler Accommodation.
Hampton’s Presence on Crunchbase
No, Hampton does not have a profile on Crunchbase.
Hampton’s Presence on LinkedIn
Yes, Hampton maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/hampton.
Cybersecurity Incidents Involving Hampton
As of December 11, 2025, Rankiteo reports that Hampton has experienced 4 cybersecurity incidents.
Number of Peer and Competitor Companies
Hampton has an estimated 13,820 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at Hampton ?
Incident Types: The types of cybersecurity incidents that have occurred include Breach.
What was the total financial impact of these incidents on Hampton ?
Total Financial Loss: The total financial loss from these incidents is estimated to be $700 thousand.
How does Hampton detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an communication strategy with apologized to customers, and containment measures with malware removed from point-of-sale systems, and remediation measures with improve the security of payment systems, remediation measures with enhance internal incident response protocols..
Incident Details
Can you provide details on each incident ?
Title: Hilton Hotel Credit Card Data Breach
Description: The credit card details of numerous customers were leaked after common point-of-sale registers in gift shops and restaurants at a large number of Hilton Hotels were compromised.
Type: Data Breach
Attack Vector: Point-of-Sale System
Title: Hilton Worldwide Credit Card Data Breach
Description: Credit card information was stolen by cybercriminals from a few of Hilton Worldwide Holdings' point-of-sale systems due to malware.
Type: Data Breach
Attack Vector: Malware
Vulnerability Exploited: Point-of-Sale Systems
Threat Actor: Cybercriminals
Motivation: Financial Gain
Title: Hilton Hotel Chain Data Breach and Malware Attack
Description: The Hilton hotel chain was accused of improperly handling two distinct cyberattacks that resulted in the exposure of its customers' financial information, and as a result, it agreed to pay Vermont and New York $700,000.
Type: data breach
Attack Vector: denial-of-service malware
Vulnerability Exploited: inadequate security of payment systems
Threat Actor: thieves
Title: Hilton Worldwide Payment Card Data Breach (2014-2015)
Description: The California Office of the Attorney General reported that Hilton Worldwide experienced a data breach due to unauthorized malware targeting payment card information in point-of-sale systems. The breach affected customers who used payment cards at Hilton hotels between November 18, 2014, and December 5, 2014, and between April 21, 2015, and July 27, 2015. The compromised information included cardholder names, payment card numbers, security codes, and expiration dates, but not addresses or PINs.
Date Publicly Disclosed: 2015-11-24
Type: Data Breach
Attack Vector: Malware (Point-of-Sale Systems)
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Breach.
How does the company identify the attack vectors used in incidents ?
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Point-of-Sale Registers and Point-of-Sale Systems.
Impact of the Incidents
What was the impact of each incident ?
Incident : Data Breach HIL15823422
Data Compromised: Credit Card Details
Systems Affected: Point-of-Sale Registers
Legal Liabilities: Fined $700K
Payment Information Risk: High
Incident : Data Breach HIL1733261023
Data Compromised: Credit card numbers, Expiration dates, Security codes, Names of credit card holders
Systems Affected: Point-of-Sale Systems
Payment Information Risk: True
Incident : data breach HIL2335171223
Financial Loss: $700,000 in fines
Data Compromised: Customers' financial information
Systems Affected: payment systems
Legal Liabilities: charged with delayed notice and inadequate security
Payment Information Risk: high
Incident : Data Breach HIL038090625
Data Compromised: Cardholder names, Payment card numbers, Security codes, Expiration dates
Systems Affected: Point-of-Sale (PoS) systems
Identity Theft Risk: High (payment card details exposed)
Payment Information Risk: High (card numbers, security codes, expiration dates compromised)
What is the average financial loss per incident ?
Average Financial Loss: The average financial loss per incident is $175.00 thousand.
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Credit Card Details, Credit Card Numbers, Expiration Dates, Security Codes, Names Of Credit Card Holders, , financial information, Payment Card Data, Personally Identifiable Information (Pii) and .
Which entities were affected by each incident ?
Incident : Data Breach HIL1733261023
Entity Name: Hilton Worldwide Holdings
Entity Type: Hotel Group
Industry: Hospitality
Incident : data breach HIL2335171223
Entity Name: Hilton
Entity Type: corporation
Industry: hospitality
Incident : Data Breach HIL038090625
Entity Name: Hilton Worldwide
Entity Type: Hospitality
Industry: Hotel and Resort
Location: Global (primarily U.S. properties)
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Data Breach HIL15823422
Communication Strategy: Apologized to customers
Incident : Data Breach HIL1733261023
Containment Measures: Malware removed from point-of-sale systems
Incident : data breach HIL2335171223
Remediation Measures: improve the security of payment systemsenhance internal incident response protocols
Data Breach Information
What type of data was compromised in each breach ?
Incident : Data Breach HIL15823422
Type of Data Compromised: Credit Card Details
Sensitivity of Data: High
Incident : Data Breach HIL1733261023
Type of Data Compromised: Credit card numbers, Expiration dates, Security codes, Names of credit card holders
Sensitivity of Data: High
Incident : data breach HIL2335171223
Type of Data Compromised: financial information
Sensitivity of Data: high
Incident : Data Breach HIL038090625
Type of Data Compromised: Payment card data, Personally identifiable information (pii)
Sensitivity of Data: High
Data Exfiltration: Yes (malware exfiltrated card data)
Personally Identifiable Information: Cardholder names
What measures does the company take to prevent data exfiltration ?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: improve the security of payment systems, enhance internal incident response protocols, .
How does the company handle incidents involving personally identifiable information (PII) ?
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by malware removed from point-of-sale systems.
Regulatory Compliance
Were there any regulatory violations and fines imposed for each incident ?
Incident : Data Breach HIL15823422
Fines Imposed: $700K
Incident : data breach HIL2335171223
Fines Imposed: $700,000
Incident : Data Breach HIL038090625
Regulatory Notifications: California Office of the Attorney General
References
Where can I find more information about each incident ?
Incident : Data Breach HIL038090625
Source: California Office of the Attorney General
Date Accessed: 2015-11-24
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: California Office of the Attorney GeneralDate Accessed: 2015-11-24.
Investigation Status
What is the current status of the investigation for each incident ?
Incident : Data Breach HIL15823422
Investigation Status: Investigated by data security team
How does the company communicate the status of incident investigations to stakeholders ?
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Apologized to customers.
Initial Access Broker
How did the initial access broker gain entry for each incident ?
Incident : Data Breach HIL15823422
Entry Point: Point-of-Sale Registers
Incident : Data Breach HIL1733261023
Entry Point: Point-of-Sale Systems
Incident : Data Breach HIL038090625
High Value Targets: Payment Card Data,
Data Sold on Dark Web: Payment Card Data,
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Data Breach HIL1733261023
Root Causes: Malware compromised PoS systems
Corrective Actions: Malware removed from point-of-sale systems
Incident : data breach HIL2335171223
Root Causes: Inadequate Security Of Payment Systems, Delayed Notice To Customers,
Corrective Actions: Improve The Security Of Payment Systems, Enhance Internal Incident Response Protocols,
What corrective actions has the company taken based on post-incident analysis ?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Malware removed from point-of-sale systems, Improve The Security Of Payment Systems, Enhance Internal Incident Response Protocols, .
Additional Questions
General Information
Who was the attacking group in the last incident ?
Last Attacking Group: The attacking group in the last incident were an Cybercriminals and thieves.
Incident Details
What was the most recent incident publicly disclosed ?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2015-11-24.
Impact of the Incidents
What was the highest financial loss from an incident ?
Highest Financial Loss: The highest financial loss from an incident was $700,000 in fines.
What was the most significant data compromised in an incident ?
Most Significant Data Compromised: The most significant data compromised in an incident were Credit Card Details, Credit card numbers, Expiration dates, Security codes, Names of credit card holders, , customers' financial information, , Cardholder names, Payment card numbers, Security codes, Expiration dates and .
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident was Point-of-Sale (PoS) systems.
Response to the Incidents
What containment measures were taken in the most recent incident ?
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident was Malware removed from point-of-sale systems.
Data Breach Information
What was the most sensitive data compromised in a breach ?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Names of credit card holders, Cardholder names, Security codes, customers' financial information, Credit Card Details, Expiration dates, Payment card numbers and Credit card numbers.
Regulatory Compliance
What was the highest fine imposed for a regulatory violation ?
Highest Fine Imposed: The highest fine imposed for a regulatory violation was $700K, $700,000.
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident is California Office of the Attorney General.
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Investigated by data security team.
Initial Access Broker
What was the most recent entry point used by an initial access broker ?
Most Recent Entry Point: The most recent entry point used by an initial access broker were an Point-of-Sale Registers and Point-of-Sale Systems.
Post-Incident Analysis
What was the most significant root cause identified in post-incident analysis ?
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Malware compromised PoS systems, inadequate security of payment systemsdelayed notice to customers.
What was the most significant corrective action taken based on post-incident analysis ?
Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Malware removed from point-of-sale systems, improve the security of payment systemsenhance internal incident response protocols.
.png)
Latest Global CVEs (Not Company-Specific)
Description
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Versions 3.5.4 and below contain a Stored Cross-Site Scripting (XSS) vulnerability in the /WeGIA/html/geral/configurar_senhas.php endpoint. The application does not sanitize user-controlled data before rendering it inside the employee selection dropdown. The application retrieves employee names from the database and injects them directly into HTML <option> elements without proper escaping. This issue is fixed in version 3.5.5.
Risk Information
cvss3
Base: 4.3
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Description
ZITADEL is an open-source identity infrastructure tool. Versions 4.0.0-rc.1 through 4.7.0 are vulnerable to DOM-Based XSS through the Zitadel V2 logout endpoint. The /logout endpoint insecurely routes to a value that is supplied in the post_logout_redirect GET parameter. As a result, unauthenticated remote attacker can execute malicious JS code on Zitadel users’ browsers. To carry out an attack, multiple user sessions need to be active in the same browser, however, account takeover is mitigated when using Multi-Factor Authentication (MFA) or Passwordless authentication. This issue is fixed in version 4.7.1.
Risk Information
cvss3
Base: 8.0
Severity: HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
Description
ZITADEL is an open-source identity infrastructure tool. Versions 4.7.0 and below are vulnerable to an unauthenticated, full-read SSRF vulnerability. The ZITADEL Login UI (V2) treats the x-zitadel-forward-host header as a trusted fallback for all deployments, including self-hosted instances. This allows an unauthenticated attacker to force the server to make HTTP requests to arbitrary domains, such as internal addresses, and read the responses, enabling data exfiltration and bypassing network-segmentation controls. This issue is fixed in version 4.7.1.
Risk Information
cvss3
Base: 9.3
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
Description
NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to directory traversal through the App.add_media_files() function, which allows a remote attacker to read arbitrary files on the server filesystem. This issue is fixed in version 3.4.0.
Risk Information
cvss3
Base: 7.5
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Description
FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions are vulnerable to authentication bypass when the authentication type is set to "webserver." When providing an Authorization header with an arbitrary value, a session is associated with the target user regardless of valid credentials. This issue is fixed in versions 16.0.44 and 17.0.23.
Risk Information
cvss4
Base: 9.3
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References
- https://github.com/FreePBX/framework/commit/04224253156543cd9932b90458660b2f19fc0e35#diff-72f14a52840a61504a8e03cd195035b44e488aecd634b001bc6412a04bdc940bR20-R50
- https://github.com/FreePBX/security-reporting/security/advisories/GHSA-9jvh-mv6x-w698
- https://www.freepbx.org/watch-what-we-do-with-security-fixes-%f0%9f%91%80
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=hampton' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
