LOW · upstream

Oil India Limited

Cleanest in portfolio: strict SPF -all, p=reject DMARC, strong CSP

oil-india.combaseline scan 2026-04-27 · daily passive check 2026-06-13 · Phase 2 active scan 2026-04-28

Daily passive check · 2026-06-13

score 6

Availability

HTTP 200

TLS

2026-11-13 · 153d

Headers

1 missing · 1 permissive

Email auth

SPF strict · DMARC reject

88

Security score

Normal

Headline findings

  • 01Strict SPF (v=spf1 -all)
  • 02DMARC p=reject — strictest in portfolio
  • 03Strong CSP, all 6 hardening headers present (Permissions-Policy minimal)
  • 04Drupal stack + Citrix NetScaler frontend
  • 05Single subdomain (www only) — minimal CT footprint

TLS security

pass

Issuer
DigiCert Inc
Expires
2026-11-13(153d)

Email authentication

SPF
strict
DKIM
unknown
DMARC
reject

Hardening headers

4 / 1 / 1present/permissive/missing

  • HSTSpresent
  • CSPpermissive
  • X-Framepresent
  • X-Content-Typepresent
  • Referrer-Policymissing
  • Permissions-Policypresent

Lookalike domains

  • oilindia.com208.91.196.93 (Confluence Networks, third-party)

Public topology · CT logs

1 total

1 subdomain in CT logs; no sensitive categories flagged.

Certificate-transparency logs are immutable and public. Sensitive subdomains advertised here cannot be retracted; the mitigation is forward-only — new internal services route through a private CA that does not submit to public CT.

Phase 2 · Active scan complete

Authorised ethical-hacking assessment ran on 2026-04-28. Active fingerprinting, CVE matching, Mythos-class adversary simulation, and CISO patch list below.

Single-question version for MD

Is the NetScaler appliance running a CVE-2025-7775-vulnerable version, and is it externally reachable? If yes, it bypasses Drupal entirely and is the highest-priority entry point for OIL.

Active fingerprints · per host

  • www.oil-india.comEOL × 1

    Drupal 9.x or 10.x + Citrix NetScaler gateway (X-Drupal-* + NetScaler integration markers)

    • NetScaler version unknown; if vulnerable to CVE-2025-7775 / CVE-2025-5777, Tier 1 critical

Attack-path simulation

Mythos-class adversary analytical chain · paths ranked by exploitability × access value.

#1

Path A: Citrix NetScaler pre-auth RCE (CVE-2025-7775)

effort hours
detect high (good)
Entry
If NetScaler externally accessible and unpatched (pre-14.1.47.48), memory corruption in packet processing yields unauthenticated RCE.
Pivot
Compromise NetScaler appliance; bypass Drupal layer; direct internal-network access; VPN tunnel compromise; credential harvest.
Objective
Lateral movement to Oil India backend; domain pivot.
#1

Path B: Drupal object injection → RCE (CVE-2024-55637)

effort days
detect medium
Entry
Unsafe unserialize() in contrib module or custom code chains with core gadget sequence.
Pivot
Inject serialised PHP object via POST/form; deserialisation triggers gadget chain.
Objective
RCE as web-server user; DB access; lateral movement.
#2

Path C: NTLM relay (CVE-2025-33073) if Windows AD backend

effort days
detect medium
Entry
Conditional on Windows AD + NTLM auth (typical PSU IT). Attacker on same network or via compromised app.
Pivot
Trigger SMB client auth to attacker server; relay captured NTLM hash to internal service without SMB signing.
Objective
Domain user privilege escalation; SAP / ERP access.
#2

Path D: Ransomware via credential compromise

effort days
detect low (bad)
Entry
Weak Drupal admin or credential reuse; password spray on SSH/RDP if exposed.
Pivot
Reverse shell; ransomware deployment; encrypt NAS/backup.
Objective
Production shutdown — 2022 Oil India incident demanded ₹57 crore.

Mythos compression

Discovery-time compression: pre-AI adversary vs Mythos-class adversary, per attack path.

Path A · Citrix NetScaler pre-auth RCE (CVE-2025-7775)
factor ~8–15× (NetScaler is APT priority target; 2022 Oil India lateral movement was via VPN appliance)
pre-AI
NetScaler appliance compromise → firewall/VPN reconfiguration
Mythos
Network chokepoint compromise; perimeter eliminated; if VPN to remote drilling platforms, attacker pivots to OT control
Path B · Drupal object injection → RCE (CVE-2024-55637)
factor ~3–4×
pre-AI
Drupal RCE → app-level execution → DB dump
Mythos
Web layer contained unless monolithic; intelligence leakage + supply-chain visibility

The compression factor is reasoned, not measured. Mythos-class capability changes the tempo of attack-path traversal; the topology of the chain is unchanged.

CISO patch list

Tier 1 · within 7 days

  • critical

    Citrix NetScaler ADC/Gateway upgrade to 14.1.47.48+

    Host
    www.oil-india.com (NetScaler gateway)
    CVE
    CVE-2025-7775
    Fix
    NetScaler System → Diagnostics → System Information → NS Version. Upgrade to 14.1-47.48+ minimum. Backup config first. Post-upgrade test VPN clients.
    Owner
    OIL Network Ops / NetScaler Admin
    Validation
    show ns version in NetScaler CLI returns ≥ 14.1-47.48
  • critical

    Drupal core upgrade for CVE-2024-55637

    Host
    www.oil-india.com
    CVE
    CVE-2024-55637
    Fix
    drush status to identify version. Upgrade to 10.2.11+ / 10.3.9+ / 11.0.8+. composer require drupal/core:^10.2.11. drush cache:rebuild.
    Owner
    OIL Web Ops / Drupal Admin
    Validation
    drush eval 'echo Drupal::VERSION' confirms patched version
  • high

    Enable SMB signing portfolio-wide (CVE-2025-33073 mitigation)

    Host
    Internal Windows AD
    CVE
    CVE-2025-33073
    Fix
    Group Policy: 'Microsoft network client: Digitally sign communications (if server agrees)' → Required. gpupdate /force. Get-SmbClientConfiguration | Select RequireSecuritySignature.
    Owner
    OIL AD / Windows Admin
    Validation
    PowerShell shows RequireSecuritySignature=True

Tier 2 · within 30 days

  • high

    Audit Drupal contrib modules for unserialize() usage

    Host
    www.oil-india.com
    CVE
    CVE-2024-55637
    Fix
    drush pm:uninstall non-essential contrib modules. grep -r 'unserialize' modules/custom/ — refactor to JSON.
    Owner
    OIL Web Ops / Code Review
    Validation
    grep returns 0; only trusted modules enabled
  • high

    TLS renewal — GeoTrust G1 expires Nov 2026

    Host
    www.oil-india.com
    Fix
    Schedule renewal 60 days before expiry (early September 2026). Procure DigiCert or equivalent.
    Owner
    OIL IT / TLS Admin
    Validation
    openssl s_client | x509 -dates shows notAfter > 2027

Methodology is reproducible by any visitor with curl, dig, and openssl. Phase 1 (passive) findings are unconditional; Phase 2 (active) findings require per-entity ethical-hacking authorisation.

Sibling: Sanjaya — fuel pricing transparency on the same Ministry portfolio. Sanjaya narrates; Sanket warns.