In a blind (covert) hacking simulation test carried out by the Ministry of Science and ICT on its affiliated agencies, 457 new vulnerabilities were found. Although the number of agencies decreased, vulnerabilities instead increased, highlighting the security weaknesses of public systems in the research and technology fields.
According to the "2025 in-house hacking simulation test results" that People Power Party lawmaker Choi Su-jin, a member of the Science, ICT, Broadcasting and Communications Committee of the National Assembly, received from and disclosed via the Ministry of Science and ICT on the 28th, multiple vulnerabilities were found at Korea Advanced Institute of Science and Technology (KAIST) with 47 cases, Daegu Gyeongbuk Institute of Science and Technology (DGIST) with 45, Korea institute of Materials Science (KIMS) with 37, Korea Institute of Industrial Technology (KITECH) with 28, National Information Society Agency (NIA) with 25, and Korea Research Institute of Chemical Technology (KRICT) with 21.
By type, parameter tampering and authentication/session management weaknesses were the most common at 121 cases. They were followed by exposure of sensitive information such as server details and absolute paths at 108 cases, and web-based vulnerabilities such as cross-site scripting (XSS) and CSRF at 46 cases.
Parameter tampering and authentication/session management weaknesses involve attackers manipulating input values or stealing session information to attempt unauthorized access. Sensitive information exposure refers to a state in which internal information such as server versions is revealed externally, making it easy to become a target of attack, while XSS and similar flaws can lead to attacks that plant malicious scripts on webpages to steal user information.
In addition, 40 cases of exposed administrator pages, 16 cases of file upload/download vulnerabilities, and 10 cases of insufficient access control for remote management services were pointed out.
In a similar simulation test last year, 431 vulnerabilities were reported across 44 agencies. This year, despite the smaller number of agencies inspected, the number of vulnerabilities increased, and the overall figure is expected to grow when results from Korea Institute of Science and Technology (KIST) and National Research Foundation of Korea (NRF), which have not yet been tallied, are added at the end of the year.
Choi said, "Vulnerabilities in public web services in the science and technology sector have instead deepened," and added, "As realistic attack risks such as attempts by black-hat hackers to penetrate internal networks or leak server information have grown, it is urgent to prepare reinforcement measures."