MEDIUM · refiner

Numaligarh Refinery Limited

45+ subdomains visible in CT including VPN, AD, document mgmt; no breach detected

nrl.co.inbaseline scan 2026-04-27 · daily passive check 2026-06-13 · Phase 2 active scan 2026-04-28

Daily passive check · 2026-06-13

score 62

Availability

request timed out

TLS

unknown

Headers

6 missing · 0 permissive

Email auth

SPF strict · DMARC quarantine

62

Security score

Watch

Headline findings

  • 0145+ subdomains visible in public CT logs — full infrastructure topology mappable from outside
  • 02VPN gateway (vpn.nrl.co.in) and AD-related service (adss.nrl.co.in) named publicly
  • 03Document management exposed across dev/uat/prod tiers (ieddms.*)
  • 04Self-hosted RAG/LLM tool visible (open-web-ui.nrlrag) — introduces AI-specific threat surface
  • 05Public tender PDFs include Enterprise Risk Management Framework (governance content alongside tender attachments)
  • 06No breach evidence in HIBP, IntelX, GitHub code search, paste archives, or S3/Azure bucket guessing
  • 07Email auth strong (DMARC p=quarantine, strict SPF)

TLS security

unknown

Issuer
Unavailable

TLS connection timed out

Email authentication

SPF
strict
DKIM
present
DMARC
quarantine

Hardening headers

0 / 0 / 6present/permissive/missing

  • HSTSmissing
  • CSPmissing
  • X-Framemissing
  • X-Content-Typemissing
  • Referrer-Policymissing
  • Permissions-Policymissing

Lookalike domains

  • nrl.co.com169.60.151.233 (RIPE-allocated cloud, typosquat cluster)
  • nrl.in54.195.35.206 (third-party)
  • nrl.com

    Australian National Rugby League — distinct org

Public topology · CT logs

45 total · 10 sensitive

nrl.co.in
Authentication
  • vpn.nrl.co.in
  • adss.nrl.co.in
Dev / Test / UAT
  • ieddms.dev.nrl.co.in
  • ieddms.uat.nrl.co.in
  • mgpnrl.dev.nrl.co.in
  • mgptest.nrl.co.in
Document mgmt
  • ieddms.prod.nrl.co.in
API / AI
  • open-web-ui.nrlrag.nrl.co.in
Portals
  • b2b.nrl.co.in
Applications
  • hmis.nrl.co.in

Certificate-transparency logs are immutable and public. Sensitive subdomains advertised here cannot be retracted; the mitigation is forward-only — new internal services route through a private CA that does not submit to public CT.

Phase 2 · Active scan complete

Authorised ethical-hacking assessment ran on 2026-04-28. Active fingerprinting, CVE matching, Mythos-class adversary simulation, and CISO patch list below.

Single-question version for MD

What is the firmware version of the NRL VPN appliance, and is it patched against the KEV-listed pre-authentication RCE for that brand?

Active fingerprints · per host

  • hmis.nrl.co.inEOL × 3

    Apache 2.4.6 + PHP 7.4.28 + OpenSSL 1.0.2k-fips

    • PHP 7.4 EOL 2022-11-28
    • OpenSSL 1.0.2 EOL 2019-12-31
    • Apache 2.4.6 very old
  • nrlportal.nrl.co.inEOL × 3

    Apache 2.4.6 + OpenSSL 1.0.2k-fips (CentOS)

    • Apache 2.4.6 very old
    • OpenSSL 1.0.2 EOL 2019-12-31
    • currently 503 maintenance
  • inetdemo.nrl.co.inEOL × 1

    Microsoft IIS 10.0 + ASP.NET 4.0.30319

    • IIS 10.0 mainstream EOL 2025-10-14
  • websvc.nrl.co.inEOL × 1

    Microsoft IIS 10.0 + ASP.NET

    • IIS 10.0 mainstream EOL 2025-10-14
  • shapp.nrl.co.inEOL × 1

    Apache Tomcat 9.0.70 (AWS ALB-fronted)

    • Tomcat 9.0.70 stale (current 9.0.99+)
  • stps.nrl.co.inEOL × 1

    nginx 1.20.1 + Express (Node.js)

    • nginx 1.20.1 stale
  • procurixai.nrl.co.in

    nginx 1.30.0 (AWS ALB-fronted, AI tool)

  • vpn.nrl.co.inEOL × 1

    Unknown (likely FortiGate/Citrix/F5/Cisco — not externally fingerprintable)

    • VPN appliance brand to be confirmed by CISO
  • www.nrl.co.inEOL × 1

    ASP.NET (X-AspNet-Version: MyServer1 — version obfuscated)

    • version obfuscated; CISO confirms internally
  • mgpnrl.nrl.co.inEOL × 1

    ASP.NET (MyServer1 obfuscation, shared IP cluster)

    • version obfuscated

Attack-path simulation

Mythos-class adversary analytical chain · paths ranked by exploitability × access value.

#1

Path B: VPN appliance pre-auth RCE

effort hours
detect low (bad)
Entry
Pre-auth RCE on VPN appliance (CVE depends on brand: F5 CVE-2025-53521, Citrix CVE-2025-7775/5777, Fortinet CVE-2023-27997)
Pivot
Session-token theft, MFA bypass via memory leak (CitrixBleed-class)
Objective
Authenticated VPN session as legitimate-looking user; internal network access
#2

Path A: hmis triple-EOL exploitation

effort hours
detect medium
Entry
Any unpatched PHP 7.4 / OpenSSL 1.0.2 / Apache 2.4.6 CVE since 2022
Pivot
Web shell deployment, lateral movement via stolen credentials
Objective
Foothold in NRL corporate estate via the HMIS host
#2

Path E: AI surface prompt-injection / vector-store exfil

effort hours
detect low (bad)
Entry
Malicious document submitted to RAG knowledge base, or prompt injection via user channel
Pivot
Extract API keys via LLM-mediated channel; manipulate model output trusted by automation
Objective
Data exfiltration or trust manipulation in NRL's AI tooling
#3

Path C: Policy-document lure to executive mailbox

effort days
detect medium
Entry
SideCopy-style HPCL/OISD/MoPNG-themed phishing email
Pivot
CurlBack/Spark/Xeno RAT installation, credential theft
Objective
Corporate VPN access via legitimate user session
#4

Path D: IIS/ASP.NET fingerprint to RCE

effort days
detect high (good)
Entry
HTTP.sys or IIS-specific CVE on inetdemo or websvc (CVE-2023-36434)
Pivot
SYSTEM-level access on Windows IIS host
Objective
Foothold in Windows estate

Mythos compression

Discovery-time compression: pre-AI adversary vs Mythos-class adversary, per attack path.

Path B · VPN appliance pre-auth RCE
factor 3-5x
pre-AI
days (CVE-to-exploit chaining)
Mythos
hours
Path A · hmis triple-EOL exploitation
factor 3-5x
pre-AI
days (CVE enumeration + chain)
Mythos
hours
Path E · AI surface prompt-injection / vector-store exfil
factor 50x+
pre-AI
weeks (novel technique)
Mythos
hours
Path C · Policy-document lure to executive mailbox
factor modest
pre-AI
days (lure crafting)
Mythos
days (delivery still human-paced)
Path D · IIS/ASP.NET fingerprint to RCE
factor modest
pre-AI
days
Mythos
days (CVE conditions narrow)

The compression factor is reasoned, not measured. Mythos-class capability changes the tempo of attack-path traversal; the topology of the chain is unchanged.

CISO patch list

Tier 1 · within 7 days

  • critical

    hmis.nrl.co.in triple-EOL stack migration

    Host
    hmis.nrl.co.in
    Fix
    Migrate to RHEL 9 / Ubuntu 24.04 LTS (Apache 2.4.62+, PHP 8.x, OpenSSL 3.x). Interim: IP-allowlist via firewall.
    Owner
    Head, IT
    Validation
    curl -sI https://hmis.nrl.co.in | grep -iE 'server|x-powered-by' shows Apache 2.4.62+ and PHP 8.x
  • critical

    nrlportal.nrl.co.in stack upgrade during 503 window

    Host
    nrlportal.nrl.co.in
    Fix
    Same as hmis. Currently in 503 maintenance — opportune upgrade window.
    Owner
    Head, IT
    Validation
    curl -sI https://nrlportal.nrl.co.in returns HTTP/2 200 with Apache 2.4.62+ and OpenSSL 3.x
  • critical

    VPN appliance brand confirmation + KEV patch

    Host
    vpn.nrl.co.in
    CVE
    CVE-2025-53521 / CVE-2025-7775 / CVE-2025-5777 / CVE-2023-27997 (depends on brand)
    Fix
    CISO confirms appliance brand internally. Apply current vendor patch for that brand. Enforce session-token rotation post-patch.
    Owner
    Head, IT (perimeter)
    Validation
    Vendor command (e.g. 'get system status' on FortiGate) shows firmware at or above patched version
  • critical

    IIS 10.0 monthly SU + version-leak suppression

    Host
    inetdemo, websvc
    CVE
    CVE-2023-36434 (HTTP/2 Rapid Reset)
    Fix
    Apply current Windows monthly cumulative update. Strip Server and X-AspNet-Version headers via URL Rewrite.
    Owner
    Head, IT (Windows platform)
    Validation
    curl -sI shows headers absent or generic

Tier 2 · within 30 days

  • high

    ASP.NET MyServer1 cluster version audit + header strip

    Host
    mgpnrl, mgptest, mgpext, portal2, www.nrl.co.in
    Fix
    CISO confirms ASP.NET runtime version internally. Set httpRuntime enableVersionHeader=false in Web.config.
    Owner
    Head, IT
    Validation
    curl -sI shows no X-AspNet-Version header
  • high

    Apache Tomcat 9.0.70 → 9.0.99+

    Host
    shapp.nrl.co.in
    CVE
    CVE-2024-50379, CVE-2024-21733, CVE-2023-46589
    Fix
    Standard Tomcat upgrade: download 9.0.99, swap bin/lib, retain conf/webapps, restart.
    Owner
    Head, IT (Java platform)
    Validation
    curl -sI https://shapp.nrl.co.in | grep -i server shows Tomcat 9.0.99+
  • high

    nginx 1.20.1 → 1.26.x or 1.28.x stable

    Host
    stps.nrl.co.in
    CVE
    CVE-2024-7347 (mp4 module)
    Fix
    OS-distribution package upgrade.
    Owner
    Head, IT (Linux platform)
    Validation
    curl -sI https://stps.nrl.co.in | grep -i server shows nginx 1.26+
  • high

    procurixai AI surface threat-model audit

    Host
    procurixai.nrl.co.in
    Fix
    WAF + rate-limiting + API key audit + SSO with conditional access + full request/response logging.
    Owner
    Head, IT + application owner
    Validation
    WAF rules in place; audit log of last 30 days; SSO confirmed

Tier 3 · within 90 days

  • medium

    Publish /.well-known/security.txt

    Host
    all NRL domains
    Fix
    Static file at /.well-known/security.txt with Contact/Expires/Encryption/Acknowledgments per RFC 9116.
    Owner
    Head, IT (corporate website)
    Validation
    curl -s https://www.nrl.co.in/.well-known/security.txt returns content
  • medium

    Forward-only certificate-transparency policy

    Host
    future internal services
    Fix
    New internal-only services use private CA (AD CS / Vault PKI). External services use wildcard certs at apex.
    Owner
    Head, IT (PKI)
    Validation
    New internal service certificates after policy adoption do not appear in crt.sh queries
  • medium

    DMARC tighten to p=reject

    Host
    nrl.co.in
    Fix
    30-day report monitoring; verify mailersend.net include; update DMARC TXT to p=reject.
    Owner
    IT (email)
    Validation
    dig +short TXT _dmarc.nrl.co.in returns p=reject
  • medium

    Internal-IP cluster network audit

    Host
    125.19.23.188 cluster, 59.144.123.x cluster
    Fix
    For internal-only services: remove public DNS records (split-horizon DNS). For internet-exposed but firewall-blocked: document the rule.
    Owner
    Head, IT (network)
    Validation
    Internal subdomains no longer appear in external DNS
  • medium

    RAG governance audit (open-web-ui.nrlrag)

    Host
    open-web-ui.nrlrag.nrl.co.in
    Fix
    Document RAG sources, audit API key handling, enforce SSO, conversation logging to SOC, output-trust validation.
    Owner
    Head, IT (app platform) + CISO
    Validation
    Governance review document on file; SSO enforced; logs in SOC tooling

Methodology is reproducible by any visitor with curl, dig, and openssl. Phase 1 (passive) findings are unconditional; Phase 2 (active) findings require per-entity ethical-hacking authorisation.

Sibling: Sanjaya — fuel pricing transparency on the same Ministry portfolio. Sanjaya narrates; Sanket warns.