CMI Management data leak exposes sensitive information from US military installations

A publicly accessible directory tied to CMI Management Inc., a U.S. government contractor specializing in facility management services for federal agencies and military installations, exposed at least 70,000 sensitive files connected to U.S. Army facilities, including building schematics, maintenance records and personally identifiable information tied to military personnel and contractors.

The exposure remained accessible as recently as April 2026, despite a prior notification to the U.S. Computer Emergency Readiness Team, known as US-CERT, by security researcher Arkadeep Roy in 2024. Roy said he received confirmation that federal cybersecurity authorities were in contact with the vendor responsible for the exposed data.

Researchers investigating the incident found the files exposed through an open directory listing vulnerability with no effective access restrictions in place. The dataset appeared to be updated in real time during the investigation, indicating the exposed system remained actively in use while publicly accessible.

The leaked files included photographs taken inside military bases, maintenance work orders, infrastructure documentation, building schematics and personal information belonging to military personnel and contractors working on government facilities.

Researchers identified the exposed directory as belonging to CMI Management Inc., a longtime federal contractor that provides facility operations and maintenance services for U.S. government properties. The company operates as part of Dexterra Group, a Canadian support services company.

The exposed information raised concerns about the potential operational and security implications for military installations. Researchers warned that detailed schematics and infrastructure documentation could allow hostile actors to build comprehensive layouts of sensitive facilities that may not be visible through aerial or satellite imagery alone. Structural information contained in the files could also reveal potential vulnerabilities within buildings and support systems.

The exposure of personal information tied to military personnel and contractors also creates additional risks involving phishing attacks, impersonation attempts and social engineering campaigns designed to gain unauthorized access to military systems or facilities.

Researchers involved in the investigation said the incident demonstrates persistent weaknesses in how sensitive government-related information is secured, even after vulnerabilities are disclosed to relevant authorities.