HIGH · education

Rajiv Gandhi Institute of Petroleum Technology

Wildcard cert expires 2026-05-09 (12 days); DMARC absent

rgipt.ac.inbaseline scan 2026-04-27 · daily passive check 2026-06-13 · Phase 2 active scan 2026-04-28

Daily passive check · 2026-06-13

score 28

Availability

HTTP 200

TLS

2026-11-22 · 162d

Headers

3 missing · 0 permissive

Email auth

SPF soft · DMARC absent

42

Security score

Critical

Headline findings

  • 01Wildcard cert expires 2026-05-09 — 11 days remaining
  • 02DMARC absent
  • 03Missing CSP and Referrer-Policy
  • 04Soft-fail SPF (~all)

Urgent · time-bound actions

  • -35dRotate wildcard *.rgipt.ac.in cert before May 92026-05-09
  • -13dAdd DMARC record (start with p=none for reporting, then tighten)2026-05-31

TLS security

pass

Issuer
Sectigo Limited
Expires
2026-11-22(162d)

Email authentication

SPF
soft
DKIM
unknown
DMARC
absent

Hardening headers

3 / 0 / 3present/permissive/missing

  • HSTSpresent
  • CSPmissing
  • X-Framepresent
  • X-Content-Typepresent
  • Referrer-Policymissing
  • Permissions-Policymissing

Lookalike domains

  • rgipt.co.in3.33.130.143 (AWS, third-party)

Public topology · CT logs

6 total · 1 sensitive

rgipt.ac.in
Portals
  • admissions.rgipt.ac.in
Applications
  • moodle.rgipt.ac.in

Certificate-transparency logs are immutable and public. Sensitive subdomains advertised here cannot be retracted; the mitigation is forward-only — new internal services route through a private CA that does not submit to public CT.

Phase 2 · Active scan complete

Authorised ethical-hacking assessment ran on 2026-04-28. Active fingerprinting, CVE matching, Mythos-class adversary simulation, and CISO patch list below.

Single-question version for MD

RGIPT has 11 days until wildcard cert expiration (blocking all student portals during admission season), a vulnerable Moodle instance (CVE-2024-43425 RCE), and absent email authentication. Is the cert renewal under way and Moodle patched, or are portal outages imminent?

Active fingerprints · per host

  • rgipt.ac.inEOL × 3

    Custom 'My httpd server' (obfuscated Apache) + ASP.NET backend

    • IMMINENT wildcard expiry — blocks all student portals
    • DMARC absent
    • Soft SPF (~all)
  • moodle.rgipt.ac.in / admissions.rgipt.ac.in / academics.rgipt.ac.inEOL × 1

    Moodle LMS / admissions portal / grade portal

    • If Moodle 4.4.0–4.4.1 / 4.3.0–4.3.5 / 4.2.0–4.2.8: CVE-2024-43425 RCE applies

Attack-path simulation

Mythos-class adversary analytical chain · paths ranked by exploitability × access value.

#1

Path A: Wildcard cert expiry (11 days) → student-portal downtime

effort
detect high (good)
Entry
Wildcard *.rgipt.ac.in expires 2026-05-09. All subdomains fail TLS validation.
Pivot
During downtime, attackers can MITM any subdomain — particularly admissions during cycle.
Objective
Credential interception; trust erosion; admissions disruption.
#1

Path B: Moodle CVE-2024-43425 RCE (calculated questions)

effort days
detect medium
Entry
Moodle 4.4.0–4.4.1 / 4.3.0–4.3.5 / 4.2.0–4.2.8 / older — command injection in calculated question type (CVSS 7.5, authenticated).
Pivot
Authenticated user crafts question; RCE on Moodle host.
Objective
Student data exfiltration; grade tampering; lateral move.
#2

Path C: Admissions portal CSRF / IDOR

effort hours
detect medium
Entry
No CSP; weak CSRF protection if tokens absent.
Pivot
CSRF request modifies application status; IDOR exposes other applicants' data.
Objective
Application manipulation; data theft.
#2

Path D: Soft SPF + absent DMARC → student-targeted phishing

effort hours
detect low (bad)
Entry
SPF ~all soft-fail; no DMARC.
Pivot
Forged @rgipt.ac.in to students with phishing link (fake grade portal, registration deadline).
Objective
Credential harvest; admissions-cycle exploitation.
#3

Path E: Academics portal IDOR / broken access control

effort days
detect medium
Entry
academics.rgipt.ac.in is grade/transcript portal; if SQLi or IDOR present.
Pivot
Access other students' grades; modify transcripts.
Objective
Academic fraud; institutional integrity loss.

Mythos compression

Discovery-time compression: pre-AI adversary vs Mythos-class adversary, per attack path.

Path A · Wildcard cert expiry (11 days) → student-portal downtime
factor ~8–12×
pre-AI
Cert-expiry MITM during 11-day downtime + admission cycle
Mythos
AI-augmented attacker pre-stages rogue cert for admissions subdomain, times exploitation to admission deadline
Path B · Moodle CVE-2024-43425 RCE (calculated questions)
factor ~3–5×
pre-AI
Moodle RCE via calculated questions
Mythos
AI-augmented attacker scans for vulnerable Moodle versions sector-wide; RGIPT picked because public-information entity has predictable patch lag

The compression factor is reasoned, not measured. Mythos-class capability changes the tempo of attack-path traversal; the topology of the chain is unchanged.

CISO patch list

Tier 1 · within 7 days

  • critical

    EMERGENCY: Rotate wildcard *.rgipt.ac.in cert before 2026-05-09

    Host
    *.rgipt.ac.in
    Fix
    Order new wildcard cert IMMEDIATELY (target install 2026-05-07). Cover all subdomains. Have rollback plan if renewal fails.
    Owner
    RGIPT TLS Admin
    Validation
    openssl s_client | x509 -noout -enddate shows notAfter > 2026-05-15 on each subdomain
  • critical

    Patch / upgrade Moodle to 4.4.2+ / 4.3.6+ / 4.2.9+ / 4.1.12+

    Host
    moodle.rgipt.ac.in
    CVE
    CVE-2024-43425
    Fix
    Identify current Moodle version. Apply patch/upgrade to supported LTS. Test course authoring + calculated questions + assessments post-patch.
    Owner
    RGIPT Moodle Admin
    Validation
    Moodle admin → site information shows patched version
  • critical

    Publish DMARC + harden SPF

    Host
    rgipt.ac.in (email)
    Fix
    SPF ~all → -all after verifying legitimate senders covered. DMARC: 'v=DMARC1; p=quarantine; rua=mailto:dmarc@rgipt.ac.in; fo=1'. Monitor 2 weeks → p=reject.
    Owner
    RGIPT IT / Email Security
    Validation
    dig +short TXT _dmarc.rgipt.ac.in returns DMARC1

Tier 2 · within 30 days

  • high

    Add CSP header + CSRF token validation on admissions portal

    Host
    admissions.rgipt.ac.in
    Fix
    Add CSP (nonce-based). Server-side CSRF token validation on every state-changing request.
    Owner
    RGIPT Web Ops
    Validation
    curl -i shows CSP; CSRF PoC blocked
  • high

    Access control audit on academics portal (IDOR prevention)

    Host
    academics.rgipt.ac.in
    Fix
    Audit all endpoints for direct object references; require authorisation check on every request.
    Owner
    RGIPT App Dev
    Validation
    Test student-A token cannot access student-B grades
  • high

    Moodle security hardening + role-based access

    Host
    moodle.rgipt.ac.in
    Fix
    Disable unused plugins. Restrict question authoring to verified instructors. Audit role permissions.
    Owner
    RGIPT Moodle Admin
    Validation
    Plugin list reviewed; role permissions documented

Tier 3 · within 90 days

  • medium

    Subdomain monitoring + CT log alerts

    Host
    *.rgipt.ac.in
    Fix
    Subscribe to certspotter or Censys CT monitoring on rgipt.ac.in.
    Owner
    RGIPT Infrastructure
    Validation
    CT alerts configured; test fires on new cert issuance
  • medium

    Email security training for faculty + students

    Host
    rgipt.ac.in users
    Fix
    Annual phishing-awareness training. Quarterly simulated phishing.
    Owner
    RGIPT IT / HR
    Validation
    Training completion records; simulation click-rate trend
  • medium

    Penetration testing + vulnerability scanning

    Host
    rgipt.ac.in
    Fix
    Quarterly pen-test by external firm. Continuous Nessus / OWASP ZAP scanning.
    Owner
    RGIPT Security
    Validation
    Quarterly report on file; remediation tracking

Methodology is reproducible by any visitor with curl, dig, and openssl. Phase 1 (passive) findings are unconditional; Phase 2 (active) findings require per-entity ethical-hacking authorisation.

Sibling: Sanjaya — fuel pricing transparency on the same Ministry portfolio. Sanjaya narrates; Sanket warns.