Photo: Katrin Bolovtsova | Pexels
A recent string of cybersecurity vulnerabilities in the United States has exposed severe weaknesses in 19 digital platforms, including Inmate Management, Court Case Management Plus, and CMS360, which are used by government agencies and courts to manage sensitive public records and legal documents. These flaws allow attackers to easily access and manipulate confidential information, raising serious concerns about the security of personal data and the integrity of the judicial process in the country.
These government platforms, crucial in managing everything from public records to legal filings, are designed to ensure transparency and trust. However, such security flaws across these systems suggest a much darker reality.
The vulnerabilities highlight that attackers — often with minimal technical skill — could compromise personal data, legal filings, and even voters’ rights, casting doubt on the reliability of these platforms.
From weak access controls to poor input validation, various issues make these platforms highly vulnerable. In multiple instances, platforms relied on predictable user IDs or inadequate authentication steps, enabling attackers to escalate their privileges, view confidential data, or later legal filings.
A glaring example comes from Georgia, where the state’s voter registration cancellation portal allowed attackers to submit requests using basic public information, such as name and birthdate.
With no additional safeguard in place, voter registrations could be canceled, compromising citizens’ privacy and voting rights.
Another troubling vulnerability was in Granicus GovQA, a widely used platform for managing public records. Attackers could reset passwords without verifying user identities and even manipulate web addresses to gain access to usernames and email addresses.
These exploits could give attackers control over sensitive documents and lock legitimate users out, raising concerns about unauthorised changes to public records.
The Thomson Reuters C-Track eFiling system, used in court systems, also exhibited dangerous flaws. By manipulating specific fields during the registration process, attackers could elevate their status to that of a court administrator, giving them access to sensitive legal data.
Similar vulnerabilities were found across court systems in Florida. Attackers could access restricted court records by guessing document IDs or manipulating cookies.
The exposed data included sealed documents, mental health evaluations, and witness lists.
Another vulnerability in Arizona Maricopa County, the Superior Court eFiling system allowed attackers to exploit API endpoints, accessing restricted legal documents by simply guessing user IDs.
Similarly, platforms like Catalis EZ-Filing, used across Georgia and South Carolina, revealed personal details such as names, addresses, and contact information. In some cases, attackers could even access sealed court documents, including highly sensitive mental health reports.
Currently, there is no indication that these flaws are being exploited in the wild, reports ArsTechnica.
“Fixing these issues requires more than just patching a few bugs. It calls for a complete overhaul of how security is handled in court and public record systems,” says the security researcher. “To prevent attackers from hijacking accounts or altering sensitive data, robust permission controls must be immediately implemented, and stricter validation of user inputs enforced.”
Organisations should do regular security audits and penetration testing, adopt multi-factor authentication, and provide adequate training to IT staff.
Here is a full list of all 19 affected platforms:
No. | Vendor | Platform |
---|---|---|
1 | BluHorse | Inmate Management |
2 | Tyler Technologies | Court Case Management Plus |
3 | Catalis | CMS360 |
4 | Henschen | CaseLook |
5 | Brevard County, Florida | In-house |
6 | Hillsborough County, Florida | In-house |
7 | Lee County, Florida | In-house |
8 | Monroe County, Florida | In-house |
9 | Sarasota County, Florida | In-house |
10 | Granicus | eFiling |
11 | Granicus | GovQA |
12 | Catalis | EZ-Filing v3 |
13 | Catalis | EZ-Filing v4 |
14 | Maricopa County, Arizona | eFiling |
15 | NYPD | Officer Profile Portal |
16 | Granicus | eFiling |
17 | Thomson Reuters | C-Track |
18 | Granicus | GovQA |
19 | Georgia Secretary of State | Voter Cancellation |
In the News: Microsoft Defender can now detect unsecure WiFi networks