August research from external attack surface management (EASM) vendor SixMap evaluated the public-facing security postures of the 21 largest American energy firms and uncovered some alarming security oversights. Some of the bluechip firms audited by SixMap include Exxon Mobile Corporation, Chevron Corporation, and ConocoPhillips.
Summary
Over the past two years, cyberattacks against the U.S. energy sector have surged, fueled by accelerating digital transformation and intensifying geopolitical conflicts. SixMap’s latest external attack surface assessment of the nation’s largest energy firms uncovered thousands of vulnerable services—many running on non-standard ports invisible to traditional security tools. These blind spots, increasingly linked to the vastly expanded use of shadow IT in enterprise networks, present systemic risks that adversaries are actively exploiting. As the sector undergoes an unprecedented wave of mergers and acquisitions, these vulnerabilities take on added urgency: Every integration of networks, assets, and operational technologies risks importing unseen security gaps from acquisition targets. For strategic buyers, managing inherited cyber-physical risks is becoming as critical to deal success as financial due diligence.
SixMap’s findings are backdropped by a cyber-threat landscape where cyberattacks targeting energy-sector firms have surged over the last two years, according to recent vendor research.
To put the energy sector threat environment in perspective, a July 2024 survey by Sophos found that 67% of global IT leaders from the energy, oil/gas, and utilities sector reported that their organizations had suffered a ransomware attack in the last year. More recently, Checkpoint reported that cyberattacks targeting the Energy & Utilities sector surged by 26% in Q2 2025, compared to the second quarter of last year.
The public-facing security postures assessed by SixMap encompass “all domains and IP addresses, across both the IPv4 and IPv6 spaces, that belong to each organization,” they said. In total, SixMap identified 39,986 hosts with 58,862 services exposed to the Internet, according to the report.
Hosts and Ports
A "host" refers to any computer, server, or device that is connected to a network and participates in network communication by sending or receiving data, services, or resources. Hosts have unique network addresses (such as IP or MAC addresses) that allow them to be identified and contacted within the network.
After logging all of the hosts, SixMap “inspected all 65,535 ports on each host to identify all the services exposed to the web,” according to the report. That is to say each host, by design, has a finite limit of 65,535 ports. Ports can be thought of as virtual gateways within a network.
Specifically, a port is “used to differentiate among different applications using the same network interface,” according to an IBM explainer. Cloudflare notes that “ports are a transport layer (layer 4) concept,” citing the Open Systems Interconnection (OSI) model, which standardized the seven-layer framework that segments the different vectors computer systems use to communicate and transfer data over a network.
Only a “transport protocol such as the Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) can indicate which port” data should flow to, according to Cloudflare. Per the 16-bit source and destination port system design that is inherent to TCP/UDP network data exchange, port numbers can only be “represented in the range of 0 to 65535 (the maximum decimal number that can be represented on 16 bits),” according to IT security training platform How to Network.
Additionally it’s important to note that ports can either be configured to be “open,” meaning they can receive incoming or outside web traffic, or closed, where they are tuned to ignore or reject incoming traffic. Open ports are vital because they “enable essential functions, such as file sharing, email, and remote management,” according to a SecurityScorecard explainer.
However, “insecure ports or common open ports, such as Port 23 (Telnet), can expose systems to attacks if proper security configurations do not protect them,” SecurityScorecard said. A June 2025 SecurityScorecard blog post further noted that “open ports still rank among the most exploited security flaws, not because the concept is new, but because network port security practices remain inconsistent across enterprises and vendors.”
In SixMap’s latest port-scanning research, the vendor fingerprinted each identified service to “document the vendor, software product, and exact version in use.” SixMap used this data to determine whether there are known common vulnerabilities and exposures (CVEs) associated with those exposed service instances, according to the report.
Methodology
SixMap noted that they are “uniquely positioned to collect and analyze this dataset” for three primary reasons. Firstly, the security firm “owns and operates an Internet Service Provider (ISP), which enables exposure assessments to run in an efficient way that provides comprehensive” and highly accurate data.
Secondly, SixMap said they leverage a technique called “Computational Mapping to enable precise host discovery across the IPv4 and IPv6 address spaces.” The deployment of this technique routinely discovers IPv6 addresses that SixMap’s customers are unaware they were even hosting on their networks, the vendor said.
Thirdly, SixMap inspected “all 65,535 ports on each asset.” By scanning all known ports for each host, SixMap was able to uncover “many exposed services that would not be detected through typical tooling that only checks the top 1,000 to 5,000 most commonly used ports,” according to the report.
Glaring Vulnerabilities
SixMap found that roughly 7% (3,910) of all “exposed services are running on non-standard ports beyond the top 5,000 most commonly used ports.” According to SixMap, these 7% of “exposures represent potential blind spots, as non-standard ports fall outside the scope of traditional attack surface management and vulnerability management tools.”
In total, SixMap discovered 5,756 vulnerable services with CVEs across all exposed instances. SixMap detected many of these CVEs numerous times, according to the report. SixMap said these multi-detections were “true in two ways: several instances of the same CVE within the same organization’s environment and several detections of the same CVE in the external attack surfaces of multiple different organizations.”
Of the 5,756 CVEs detected, SixMap said 377 are “known to be exploited in the wild, meaning the presence of those CVEs introduces a serious risk and high likelihood of exploitation.” Drilling deeper into these findings, SixMap uncovered a “total of 304 vulnerable services (231 unique CVE IDs) running on non-standard ports.”
Twenty-one of those CVEs are “known to be exploited by specific threat groups” and may “represent a major challenge for the energy sector, as many industry-standard exposure management products only scan the top 5,000 most common ports by default.”
SixMap noted, “if a vulnerable service is running on a non-standard port, it would not be detected by these traditional tools, leaving a high-risk CVE invisible to the security team.” This is significant for two reasons. Number one, shadow IT—the “unauthorized use of any digital service or device that is not formally approved and supported by the IT department”— has proliferated across enterprises, according to CrowdStrike.
This trend started after the Covid-19 pandemic, as many organizations were forced to accommodate more remote and hybrid working arrangements. Thus, many shadow IT hosts are actually personal employee devices that may expose unguarded network intrusion vectors via non-standard ports. Traditional port scanning tools often fail to detect ports associated with shadow IT assets, according to SixMap.
At the same time, numerous enterprise security decision makers have quietly shifted business-critical services to non-standard ports, as part of a “security through obscurity” strategy, according to network security firm SonicWall. This trend is due to the fact that cybercriminals frequently target ports more commonly associated with the hosting of business-critical services.
Specifically, threat actors will use legitimate pentesting tools like Nmap and Shodan to scan target networks for open ports and enumerate the services and service versions running on them to see if any are readily exploitable.
Non-Standard Ports
The malicious exploitation of non-standard ports is classified as ATT&CK® Technique T1571 by non-profit cybersecurity framework authority Mitre. Mitre provides the following definition for this technique: “Adversaries may communicate using a protocol and port pairing that are typically not associated” or “make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.”
In operational technology (OT) contexts, one critical infrastructure cybersecurity vendor previously found that threat actors can use non-standard ports to exploit Remote Desktop Protocol (RDP) services and seamlessly pivot into OT/SCADA networks.
Specifically, this vendor report detailed a penetration testing engagement in which attack simulators created a Network Shell (Netsh) port-proxy rule on a compromised host within the corporate network. This rule made the host listen on a non-standard port and forward incoming traffic to an OT/SCADA asset's RDP service on a default port.
Netsh is a “command-line utility included in Microsoft’s Windows NT line of operating systems beginning with Windows 2000 up to the most recent releases of Windows 10 and Server 2019,” according to the cybersecurity vendor report.
More broadly, by exploiting a CVE on a non-standard port, threat actors are able to gain a more discreet foothold in a target’s network, as they are better positioned to avoid detection, stealthily perform lateral movement, escalate privileges, and eventually exfiltrate data and deploy ransomware.
The most infamous campaign where non-standard port exploitation featured prominently was the Apache Log4j attack blitz of 2022 and 2023. According to a 2022 TrendMicro explainer, the Log4j vulnerability (CVE-2021-44228) “allows attackers to achieve remote code execution on the victim servers using the vulnerable versions of the popular library in exposed web applications/services.”
Highlighting the Log4j CVE’s exploitation of unconventional network entry points, Amazon Web Services noted in a 2022 advisory that defenders should “monitor or prevent instances of protocols like LDAP from using non-standard LDAP ports such as 53, 80, 123, and 443” to mitigate the threat.
Most Common CVEs Discovered by SixMap
Of the 5,756 vulnerable services identified by SixMap, “about 76% of these vulnerabilities were with various implementations of HTTP.” SixMap noted that this is “unsurprising, as web services are one of the most common services globally and, by virtue of their purpose, must be exposed to the Internet.”
One recent major HTTP-based CVE that was flagged by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in May 2025 is CVE-2025-32756. This CVE impacted Fortinet’s FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera platforms, which are “widely used in enterprise environments for unified communications, email, network detection, and video surveillance,” according to GBHackers.
At its core, this CVE is a “critical stack-based buffer overflow vulnerability (CWE-124) that allows remote, unauthenticated attackers to execute arbitrary code or commands by sending specially crafted HTTP requests to vulnerable devices.” At the time, this CVE was aggressively exploited in the wild and “carries a CVSS v3 score of 9.6, underscoring its severity and potential impact on affected organizations,” according to GBHackers.
The next-most exploited service identified by SixMap was the network protocol SSH. Successful SSH attacks often result “directly in full compromise of a system with the ability to execute commands remotely,” noted SixMap.
SixMap noted there was wide variance in the distribution of vulnerabilities across the 21 energy firms it audited. One organization had 0 vulnerabilities, three organizations had fewer than 5 vulnerabilities, and seven had fewer than 50, according to SixMap.
“On the other end of the spectrum,” noted SixMap, one outlier organization had a “staggering 2,875 vulnerabilities in its external attack surface.” SixMap said many of these vulnerabilities were “due to a very old version of Apache web service” the company was running, which has “45 known CVEs associated with it.”
However, SixMap reiterated that 405 of the vulnerabilities it identified, or “roughly 7% of all CVEs detected– were with services running on non-standard ports,” indicating a “lack of visibility” for defenders.
Notably, the report also found that there are “43 different CVEs common to 45% or more of the organizations in the sample group, potentially representing systemic risks for the energy sector.”
Industry Consolidation Amplifies the Threat of Exposed Ports
As noted by SixMap, “the limitations of traditional security tools” leaves many energy organizations vulnerable to attacks via exposed ports. Exposed non-standard ports present an especially glaring threat. Specifically, “legacy external attack surface management tools are designed to find unknown hosts but often fail to discover all of the shadow IT assets,” according to SixMap.
The surging market for energy-sector mergers and acquisitions (M&A) further amplifies the external attack surface threat for large strategic buyers. A June 2025 report by global property conglomerate Jones Lang LaSalle noted that M&A activity has reached historic levels in the energy sector, with “natural gas companies leading a wave of consolidation that is restructuring the industry landscape.”
JLL said that M&A transaction volumes exceeded $57 billion in 2024—”more than double the pre-pandemic levels of 2019.” JLL also explained that energy “companies are executing fewer but significantly larger deals, reflecting a strategic shift toward transformational acquisitions rather than incremental growth.”
One driver for this dynamic M&A cycle is technological integration, according to JLL. Specifically, acquisitions provide large energy firms with an “accelerated pathway to incorporate advanced technologies—from digital monitoring systems to emissions-reduction innovations—that might take years to develop internally,” according to the JLL report.
In the midst of all these acquisitions and IT integrations, however, large energy organizations are also inevitably assimilating more security blind spots in the form of shadow IT. It follows that the stealthy compromise of an acquisition target could place larger strategic acquirers at risk of being compromised themselves when they begin the process of integrating the IT systems of a breached subsidiary.
These concerns are further exacerbated by a broader M&A threat landscape where ransomware actors and other cybercriminals are strategically targeting mid-market acquisition prospects, according to the Wall Street Journal. Also, consider that smaller energy companies may not have sufficient budget or resources to audit and assess their cybersecurity risks as regularly or effectively as larger organizations. All of these factors significantly amplify cyber risks for strategic acquirers operating in the energy space.
Is your energy organization concerned about the cyber risks associated with recent acquisitions or prospective acquisition targets in a rapidly digitizing sector?
InfraShield’s OT security specialists bring deep expertise in identifying hidden vulnerabilities, mapping inherited cyber-physical attack surfaces, and conducting comprehensive cyber due diligence for both established and newly integrated operations.
Don’t let overlooked gaps in legacy systems or complex asset portfolios jeopardize your strategic investments. Partner with InfraShield to proactively assess, secure, and strengthen your organization’s operational resilience—before, during, and after the M&A process. Contact our experts today for a tailored security assessment to ensure your acquisitions deliver growth with confidence and protection.
