Executive Summary
A precision manufacturing company with approximately 120 employees and two facilities engaged a third-party security firm for a combined internal and external penetration test. The company had never undergone a formal security assessment and was prompted to do so after a competitor in their industry suffered a ransomware attack that halted production for three weeks.
During the external phase of the assessment, the testing team discovered a VPN appliance that had been installed two years earlier by a third-party equipment vendor and never decommissioned. The device was still powered on, connected to the internet, and running firmware with multiple known vulnerabilities. From that single forgotten device, testers were able to:
- Gain remote access to the internal corporate network from the internet
- Capture Active Directory credentials using protocol-level attacks on the flat internal network
- Crack a domain service account password in under four minutes and escalate to full Domain Administrator privileges
- Pivot from the office network directly onto the production floor, reaching programmable logic controllers (PLCs) and HMI workstations with no authentication barriers
The company's IT manager had no knowledge that the VPN appliance existed. No one on staff knew it was possible to reach production floor systems from the office network. All 14 critical and high-severity findings were remediated within 90 days, including full network segmentation between IT and OT environments.
The Client
The company manufactures precision-machined components for the aerospace and automotive industries. Their two facilities -- a corporate office and a 60,000-square-foot production plant -- are located in the same industrial park and connected by a fiber link. The company processes controlled technical data under ITAR regulations and had recently begun pursuing CMMC Level 2 certification.
The IT manager, who also served as the sole IT staff member, had been with the company for eight years. He managed everything from desktop support to the firewall. When their competitor was hit by ransomware, leadership authorized the assessment.
"After we saw what happened to [the competitor], our CEO walked into my office and said, 'I need to know if that could happen to us.' I told him I was 90% sure we were fine. I was wrong about the other 10%." -- IT Manager
The Engagement
Senior security engineer Jake Torres led the assessment, starting with an external reconnaissance phase before moving to the on-site internal test. The external perimeter scan revealed something unexpected almost immediately.
A device nobody knew about
During the external scan, Jake identified a SonicWall TZ300 VPN appliance responding on a public IP address that didn't appear in any of the company's documentation. The device was running firmware from 2019 and had its management interface exposed directly to the internet.
"I flagged it in the first hour and asked the IT manager about it. He had no idea it was there. Turns out, an equipment vendor had installed it two years earlier to remotely configure a new CNC machine, and it was never removed. Nobody remembered it existed." -- Jake Torres, Senior Security Engineer
A SonicWall TZ300 running outdated firmware (multiple known CVEs) was discovered on the external perimeter. The device was installed by a third-party vendor and never inventoried or managed by IT. Default management credentials were still active.
The VPN appliance had default credentials on its management interface. Once authenticated, Jake was able to establish a VPN tunnel directly into the internal corporate network from outside the building. In a real attack scenario, any threat actor scanning the internet for exposed SonicWall devices -- a common automated activity -- could have done the same.
Capturing credentials off the wire
Once on the internal network, the assessment moved to the on-site phase. The corporate and production networks were on a single flat subnet with no segmentation. Jake deployed standard protocol-level attacks targeting LLMNR and NetBIOS name resolution -- the single most common finding in internal network penetration tests -- and captured NTLMv2 credential hashes within minutes.
Legacy name resolution protocols (LLMNR, NetBIOS-NS) were enabled across the network, allowing an attacker in any network position to intercept authentication requests and capture password hashes from domain-joined workstations.
Four minutes to Domain Admin
Among the captured hashes was a service account called svc_backup. This account had been created years ago to run a backup utility and had been granted Domain Administrator privileges -- a common shortcut in environments where a single IT person manages everything and convenience often wins over security.
Jake ran the captured hash through an offline password cracking tool. The password was cracked in three minutes and forty-two seconds.
"The password was the company name followed by the year it was created and an exclamation point. That's a pattern we see constantly. It meets complexity requirements on paper, but it takes seconds to crack with modern hardware. And because it was a service account, the password had never been rotated." -- Jake Torres, Senior Security Engineer
The svc_backup service account held Domain Administrator privileges with a password that was cracked offline in under four minutes. The password had never been changed since the account was created. The account was configured with a non-expiring password.
From the office to the production floor
With Domain Admin credentials, Jake had full control of the Active Directory environment. But the most alarming discovery came when he turned his attention to the production network.
Because there was no segmentation between the corporate IT network and the operational technology (OT) network on the production floor, Jake was able to reach HMI (Human-Machine Interface) workstations and programmable logic controllers directly from an office workstation. Two of the HMI systems were running Windows 7 Embedded with no security updates and no endpoint protection. The PLCs themselves accepted commands with no authentication.
No segmentation existed between the corporate IT network and the OT production environment. HMI workstations running end-of-life Windows 7 and PLCs with no authentication were directly reachable from any device on the corporate network.
Account manager Lisa Park was present when the findings were demonstrated to the company's leadership team.
"When Jake showed them he could reach the PLCs from a laptop in the conference room, the plant manager's face went white. He said, 'You could have shut down every machine on the floor.' And Jake said, 'Yes. From the parking lot, actually, through that VPN.' That's the moment it clicked for everyone in the room." -- Lisa Park, Account Manager
Shadow IT across the production floor
The assessment also uncovered several instances of unauthorized remote access software. TeamViewer was installed on three HMI workstations with simple four-digit unattended access passwords. When asked, the plant manager explained that maintenance technicians had installed it so they could check machine status from home on weekends. IT had never been informed.
TeamViewer with weak unattended access passwords was installed on three HMI workstations without IT knowledge. These installations provided an additional unauthenticated remote access path to production systems.
The Impact
The assessment revealed that a complete compromise of the company's entire infrastructure -- from domain control to production floor shutdown -- was achievable from the public internet through a device nobody knew existed. The total time from initial access to Domain Admin was under 30 minutes. The path to the production floor took an additional five.
For a company processing ITAR-controlled data and pursuing CMMC certification, the implications extended beyond operational risk. An actual breach of this nature could have resulted in:
- Weeks of production downtime (their competitor's recovery took 22 days)
- Loss of ITAR compliance and potential debarment from government contracts
- Theft of proprietary manufacturing processes and controlled technical data
- Physical safety risks from unauthorized modification of PLC programming
- Ransomware encryption of both IT and OT systems simultaneously
- Insurance claim denial due to unmanaged perimeter devices
The Remediation
90-Day Remediation Timeline
- Day 1: Forgotten VPN appliance physically disconnected and decommissioned. TeamViewer removed from all OT workstations.
- Weeks 1-2: Comprehensive asset inventory conducted across both facilities. Three additional unknown devices discovered and cataloged.
- Weeks 2-4: LLMNR and NetBIOS name resolution disabled network-wide. All service account passwords rotated to 24+ character randomized strings. Domain Admin privileges removed from service accounts and replaced with minimum-required permissions.
- Weeks 4-8: Network segmented into four zones: corporate IT, production OT, management (for HMI access), and guest/IoT. Industrial firewall deployed between IT and OT with strict allowlisting.
- Weeks 8-12: Endpoint detection and response deployed to all IT systems. OT-specific monitoring implemented for anomalous PLC communication. Vendor access policy created requiring IT approval and time-limited VPN credentials.
- Week 13: Validation test performed. All critical and high-severity findings confirmed remediated.
"The part that kept me up at night wasn't the VPN. It was the fact that I'd been here eight years and never knew the production floor was on the same network as my office. We were one phishing email away from someone shutting down our machines." -- IT Manager
What Could Have Happened
Ransomware operators specifically target manufacturing companies because production downtime creates immediate financial pressure to pay. In 2025, manufacturing was the most targeted sector for ransomware globally. The median downtime for a manufacturing ransomware incident was 21 days, with average total costs exceeding $2.5 million including lost production, recovery, and regulatory consequences.
This company's lack of IT/OT segmentation meant that a single ransomware infection on an office workstation could have encrypted production floor systems simultaneously -- a scenario that has played out at dozens of manufacturing firms in the past two years.
Instead, they found the gaps before an attacker did.
Do You Know What's Connected to Your Network?
Shadow IT and forgotten devices create attack paths that no firewall can block. Find out what's really on your network before someone else does.
Book a Free Consultation