Vulnerability Assessment Report

acme-corp.com
RECON Scan

Assessment Date: April 6, 2026

Target: Acme Corp (acme-corp.com)

Scan Type: Reconnaissance & Security Analysis

Status: Complete

⚠ SAMPLE REPORT — MOCKUP DATA

Executive Summary

C

Risk Grade: C

Acme Corp's external security posture reveals moderate-to-significant exposure across multiple attack vectors. The RECON scan identified 18 findings, including 2 HIGH severity issues requiring immediate attention: an expired SSL certificate on the shop subdomain and an open MySQL port exposed in Shodan intelligence. Additionally, critical security headers are missing, outdated technologies are running, and email security remains incomplete. While foundational controls exist, multiple configuration gaps and technology debt create material risk.

Scan Overview

Findings
18
Critical
0
High
2
Medium+
8

Table of Contents

  1. Executive Summary
  2. Digital Footprint & Domain Health
  3. Technology Stack Analysis
  4. Findings & Vulnerabilities
  5. Remediation Roadmap

Digital Footprint & Domain Health

Discovered Assets

Subdomain Status Technology Notes
acme-corp.com ✓ Active React/Nginx Main domain, Cloudflare CDN
www.acme-corp.com ✓ Active React/Nginx Primary web application
api.acme-corp.com ✓ Active Node.js REST API endpoint
shop.acme-corp.com ⚠ Active (cert expired) WooCommerce/Apache E-commerce platform
mail.acme-corp.com ✓ Active Postfix Mail server
staging.acme-corp.com ✓ Active Apache/MySQL Development environment

Domain Health Assessment

SSL Certificate Status

Main domain certificate is valid (expires Sept 2026), but shop.acme-corp.com certificate expired on Feb 28, 2026. This creates browser warnings and blocks e-commerce transactions.

DNS Resolution

All nameservers resolve correctly. Zone transfers blocked (good). DNSSEC not enabled (optional).

Email Authentication

SPF configured but too permissive. DMARC missing. DKIM partially implemented (only for primary domain). Increases phishing risk.

CDN & Global Delivery

Cloudflare CDN active on main domain, providing DDoS protection and caching. Good for performance and availability.

Domain Expiration

Domain expires May 20, 2026 (44 days). Critical action required to renew immediately.

Technology Stack Analysis

Detected Technologies

Fingerprinting and Shodan reconnaissance identified 12+ technologies running across Acme Corp's infrastructure:

Web Frameworks & Servers

React 18.2
Node.js 18.x
Apache 2.4.41
Nginx 1.18
Cloudflare CDN

CMS & Applications

WordPress 6.2
WooCommerce 7.5
jQuery 2.1.4 (outdated)

Databases & Backend

PostgreSQL 13
MySQL 5.7 (outdated)
Redis 6.2

Libraries & Frameworks

Bootstrap 4.6
Chart.js 3.1
Moment.js 2.29

Technology Risk Assessment

Notable Issues:

Vulnerability Findings (Part 1)

The RECON scan identified 18 findings across infrastructure, security headers, and technology debt. The highest-severity issues are listed first.

Expired SSL Certificate
High
ID: RECON-001 | Asset: shop.acme-corp.com
Description: The SSL/TLS certificate for shop.acme-corp.com expired on February 28, 2026. Browsers display security warnings and block content. This directly impacts e-commerce transactions and user trust.
Remediation: Immediately renew or reissue the SSL certificate. Deploy using your certificate authority (Let's Encrypt recommended for auto-renewal). Implement monitoring to alert on certificate expiration 30 days in advance.
Exposed MySQL Port (Shodan Discovery)
High
ID: RECON-002 | Asset: staging.acme-corp.com (203.0.113.99:3306)
Description: Shodan reconnaissance revealed an open MySQL port (3306) on the staging server. While staging is non-production, exposed databases are high-risk and can be exploited for data theft, ransomware, or lateral movement into production systems.
Remediation: Immediately restrict access to port 3306 using firewall rules. Only permit connections from authorized application servers. Move staging to a private VPC or Tailscale network. Implement network segmentation between staging and production.
Missing Security Headers
Medium
ID: RECON-003 | Asset: acme-corp.com, www.acme-corp.com, api.acme-corp.com
Description: Critical security headers are missing from HTTP responses:
  • Content-Security-Policy (CSP) — Missing
  • X-Frame-Options — Missing (clickjacking risk)
  • X-Content-Type-Options — Missing
  • Strict-Transport-Security (HSTS) — Not set
Remediation: Add security headers in Nginx/Apache configuration:
- X-Frame-Options: DENY
- Content-Security-Policy: default-src 'self'
- X-Content-Type-Options: nosniff
- Strict-Transport-Security: max-age=31536000; includeSubDomains
Outdated jQuery Library (2.1.4)
Medium
ID: RECON-004 | Asset: acme-corp.com, shop.acme-corp.com
Description: jQuery 2.1.4 was released in 2015 and is end-of-life. Multiple known CVEs exist:
  • CVE-2020-11022 — XSS in .html() method
  • CVE-2020-11023 — XSS in .attr() method
Remediation: Upgrade jQuery to latest LTS version (3.7+). For new development, consider removing jQuery dependency and using Vanilla JavaScript or modern frameworks. Implement automated dependency scanning (npm audit, OWASP Dependency-Check).
Server Header Reveals Apache Version
Medium
ID: RECON-005 | Asset: shop.acme-corp.com
Description: HTTP Server header exposes "Apache/2.4.41", allowing attackers to identify known vulnerabilities specific to this version. This is information disclosure that aids reconnaissance.
Remediation: Configure Apache to hide server version header. In httpd.conf: ServerTokens Prod, ServerSignature Off. Consider using a WAF to rewrite headers.

Vulnerability Findings (Part 2)

Low DNS TTL Values
Medium
ID: RECON-006
Description: Some subdomains have DNS TTL of 60 seconds, which is very low. This increases DNS resolver load and can amplify DNS-based attacks.
Remediation: Increase TTL to 3600+ seconds (1 hour) for stable records. Keep lower TTL (300s) only for frequently-changing records. Use Cloudflare or other DNS providers with intelligent TTL management.
VirusTotal Detection History
Medium
ID: RECON-007
Description: VirusTotal records show 2 URLs associated with acme-corp.com were flagged as malicious in the past 12 months: a phishing page and a malware distribution URL. While possibly unrelated to your current infrastructure, this suggests either historical compromise or domain abuse.
Remediation: Review server logs from 12 months ago to identify and document the incident. Scan web root for residual shells or backdoors. Implement Web Application Firewall (WAF) to prevent future abuse. Monitor VirusTotal for new detections.
IPv6 Not Configured
Low
ID: RECON-008
Description: Your infrastructure only responds to IPv4 requests. While not a critical vulnerability, IPv6 adoption is increasing and lack of support may limit accessibility.
Remediation: Add AAAA records to your DNS and configure IPv6 on load balancers/CDN. This is a lower-priority improvement as IPv4 remains dominant, but good for future-proofing.
www vs. Naked Domain Inconsistency
Low
ID: RECON-009
Description: acme-corp.com returns 200 OK, but www.acme-corp.com returns a 301 redirect. This creates a non-canonical configuration that can hurt SEO and confuse users.
Remediation: Configure CDN/web server to redirect all traffic to a single canonical domain (e.g., www or non-www). Ensure redirects are permanent (301) to preserve SEO rankings.
WordPress Version Exposed
Low
ID: RECON-010 | Asset: blog.acme-corp.com
Description: WordPress version 6.2 is exposed via wp-includes/version.php and RSS feed headers. While WordPress is kept relatively current, version disclosure aids attacker reconnaissance.
Remediation: Hide WordPress version by removing generator meta tag and disabling version exposure in wp-config.php. Use a security hardening plugin like Wordfence.
Email Authentication Incomplete (From QUICK Scan)
Low
ID: RECON-011
Description: DMARC record still missing; SPF remains too permissive (~all instead of -all). See QUICK scan finding QUICK-004 and QUICK-005 for details.
Domain Expiration Alert (From QUICK Scan)
Low
ID: RECON-012
Description: Domain expires May 20, 2026 (44 days). See QUICK scan finding QUICK-006 for remediation.
Cloudflare CDN Detected
Info
ID: RECON-013
Description: Main domain is protected by Cloudflare CDN (Free or Pro plan). This provides DDoS protection, caching, and Web Application Firewall (WAF) capabilities. Proper configuration is important to maximize security benefits.
Additional Subdomains Discovered
Info
ID: RECON-014
Description: RECON scan discovered 2 additional subdomains not found in QUICK scan: blog.acme-corp.com (WordPress) and staging.acme-corp.com (development environment). Staging assets should not be exposed to the internet.

Remediation Roadmap

Priority 1: Critical Actions (This Week)

  1. Renew expired SSL certificate on shop.acme-corp.com
  2. Block MySQL port on staging server immediately (firewall rule)
  3. Implement security headers (CSP, X-Frame-Options, HSTS) in Nginx config

Priority 2: High-Impact (Next 30 Days)

  1. Upgrade jQuery from 2.1.4 to 3.7+ or remove dependency
  2. Upgrade MySQL 5.7 to 8.0 or migrate to PostgreSQL
  3. Increase DNS TTL to 3600+ seconds
  4. Configure SPF to use -all (hard fail) instead of ~all
  5. Add DMARC record with p=quarantine policy
  6. Hide Apache version header from HTTP responses

Priority 3: Medium-Term (Next 60-90 Days)

  1. Enable IPv6 on infrastructure
  2. Standardize www vs. naked domain canonical configuration
  3. Move staging environment off public internet (use VPN/Tailscale)
  4. Implement Web Application Firewall (WAF) rules
  5. Harden WordPress with security plugin and hide version
  6. Enable automated dependency scanning (npm audit, OWASP DC)

Estimated Timeline & Effort

Phase Duration Effort Resources
Priority 1 3-5 days 4-6 hours DevOps + Infrastructure
Priority 2 20-30 days 20-30 hours DevOps + Development
Priority 3 60-90 days 30-40 hours Full engineering team

Upgrade to FULL Scan

The RECON assessment covers reconnaissance, technology identification, and configuration analysis. To identify active vulnerabilities, exploit paths, and compliance gaps, consider upgrading to a FULL Scan, which includes:

FULL Scan Includes

  • Port Scanning (Nmap): Identify all listening services
  • Vulnerability Scanning (Nuclei): Active detection of CVEs
  • Web Application Scanning: WPScan, CORS checks, open redirects
  • SSL/TLS Deep Analysis: Certificate chain, weak ciphers, protocol versions
  • CVE Enrichment: Automatic CVE scoring and exploit availability
  • Attack Path Analysis: Multi-step exploitation chains
  • Compliance Mapping: ISO 27001, SOC 2, PCI DSS controls

The FULL scan will identify active vulnerabilities (e.g., unpatched CVEs, exposed endpoints, weak authentication) and provide comprehensive compliance reporting essential for audits and stakeholder communication.

Powered by SafeComs Network Security Consulting

Secure | Comply | Simplify

This report is confidential and intended solely for use by Acme Corp. Unauthorized reproduction or distribution is prohibited. Report generated by Cydome Vulnerability Assessment Platform.

Assessment Date: April 6, 2026 | Report ID: ACME-RECON-2026-0406