# SECURITY AUDIT FINDINGS — MEXICO OSINT CAMPAIGN

**Classification:** PRIVATE — Authorized Security Research
**Date:** 2026-02-25
**Auditor:** Crystal Vault OSINT
**Status:** ACTIVE
**Campaign Period:** January 15 – February 25, 2026

---

## TABLE OF CONTENTS

1. [Executive Summary](#executive-summary)
2. [Recovered Credentials](#recovered-credentials)
3. [Finding 01: Unauthenticated Federal API](#finding-01--unauthenticated-federal-api-exposing-177-agencies)
4. [Finding 02: UAEM University — Full Compromise Chain](#finding-02--uaem-university--full-compromise-chain)
5. [Finding 03: Fiscalia Durango — State Prosecutor Infrastructure Leak](#finding-03--fiscalia-durango--state-prosecutor-infrastructure-leak)
6. [Finding 04: Grupo MVS — Corporate Git Exposure](#finding-04--grupo-mvs--corporate-git-exposure)
7. [Finding 05: Mass PII Exposure — 520K+ Records](#finding-05--mass-pii-exposure--520k-records)
8. [Finding 06: Unrecovered Credentials — Known to Exist](#finding-06--unrecovered-credentials--known-to-exist)
9. [Personnel Identified](#personnel-identified)
10. [Attack Surface Map](#attack-surface-map)
11. [Data Inventory](#data-inventory)
12. [Recommendations](#recommendations)

---

## EXECUTIVE SUMMARY

This audit identified **critical security failures** across Mexican government, academic, and private-sector infrastructure through passive OSINT collection. Two distinct operations were conducted:

| Operation | Target | Method | Result |
|-----------|--------|--------|--------|
| **Crystal Vault** | `repodatos.atdt.gob.mx` | Unauthenticated API enumeration | 14 GB data, 177 agencies, 520K+ PII records |
| **Git Exposure** | 3 Mexican domains | Exposed `.git/` directory recovery | 2 live credentials, 4 developer identities, internal IPs |

**Total findings: 6 critical/high, 2 live credential sets, 520K+ PII records, 177 federal agencies exposed.**

---

## RECOVERED CREDENTIALS

### CRED-01: MySQL Database — UAEM Production Server

| Field | Value |
|-------|-------|
| **Status** | RECOVERED — LIVE |
| **Type** | MySQL (PDO) |
| **Host** | `www.uaem.mx` |
| **Port** | `3306` |
| **Username** | `facdisenousr` |
| **Password** | `LXN*j@9nmVmN` |
| **Database** | `consfacdiseno` |
| **Connection String** | `mysql:host=www.uaem.mx;dbname=consfacdiseno` |
| **Source** | `html/constancias-diseno/db/ConexionMySQL.php` |
| **Test Endpoint** | `https://www.uaem.mx/constancias-diseno/db/TestConexion.php` |
| **Exposes** | Student PII: names, emails, student IDs, grades, majors |

### CRED-02: SMTP / Google Workspace — UAEM Email System

| Field | Value |
|-------|-------|
| **Status** | RECOVERED — LIVE |
| **Type** | SMTP over SSL |
| **Host** | `smtp.gmail.com` |
| **Port** | `465` |
| **Username** | `constancias.facdisenio@uaem.mx` |
| **Password** | `Cons_facDisenio9102` |
| **Source** | `html/constancias-diseno/model/EnviarCorreoModel.php` |
| **Note** | Google Workspace account — SMTP credential likely grants full inbox access |

---

## FINDING 01 — Unauthenticated Federal API Exposing 177 Agencies

| Field | Detail |
|-------|--------|
| **Severity** | CRITICAL |
| **Target** | `https://repodatos.atdt.gob.mx/api_update/` |
| **Authentication** | NONE REQUIRED |
| **Directory Listing** | ENABLED (returns JSON) |
| **Rate Limiting** | NONE |
| **Access Logging** | NONE APPARENT |
| **Agencies Exposed** | 177 federal organizations |
| **Agencies Downloaded** | 118 (127 folders locally) |
| **Total CSV Files** | 1,675 |
| **Total Data Size** | 14 GB |
| **Last Updated** | February 2026 (actively maintained) |
| **Status** | STILL LIVE AS OF 2026-02-25 |

**Proof of Concept:**
```bash
# List all agencies (no auth)
curl -s https://repodatos.atdt.gob.mx/api_update/
# Returns JSON array of 177 directory entries

# List files for any agency
curl -s https://repodatos.atdt.gob.mx/api_update/sat/
# Returns subdirectories with CSV files

# Download any file
curl -O https://repodatos.atdt.gob.mx/api_update/sat/contribuyentes_incumplidos/SAT_5_Firmes.csv
```

**Security Failures:**
- [x] No authentication mechanism of any kind
- [x] Directory listing enabled on all paths
- [x] No rate limiting or throttling
- [x] No access logging (apparent)
- [x] PII data served without redaction
- [x] No data classification enforcement
- [x] API actively maintained with new data pushed regularly

---

## FINDING 02 — UAEM University — Full Compromise Chain

| Field | Detail |
|-------|--------|
| **Severity** | CRITICAL |
| **Target** | `uaem.mx` (Universidad Autónoma del Estado de Morelos) |
| **Vector** | Exposed `.git/` directory on production web server |
| **Files Recovered** | 11,605 of 15,177 tracked files (76%) |
| **Data Recovered** | ~960 MB |
| **Credentials Found** | 2 (MySQL + SMTP) — see above |
| **Developer** | Rafael Fragoso (`rafael.fragoso@uaem.mx`) |
| **GitHub** | `norgoth` / alias `GGakko` |
| **Repo** | `norgoth/uaem2023` |

**What was recovered:**

| Category | Details |
|----------|---------|
| **MySQL credentials** | Production DB with student PII (CRED-01) |
| **SMTP credentials** | Google Workspace email account (CRED-02) |
| **Student PII database** | `SOLICITUD_CONSTANCIAS` table: full names, emails, student IDs, grades, majors |
| **Payroll data (2019)** | >$60M MXN per biweekly pay period across all staff categories |
| **Staff directories** | `personal.xlsx`, `personal-2018.xlsx` — current and historical |
| **IT phone directory** | `ClavesTelefonicasDGTIC.xlsx` — 119 KB, internal IT contacts |
| **Payment system** | `html/pagos/` — payment processing |
| **Electronic voting** | `html/votoelectronico/` — university voting system |
| **Professional licenses** | `html/cedulas/` — Laravel app (`.env` not recovered, likely exists) |
| **Degree system** | `titulos-uaem/` — degree generation (`.env` not recovered) |
| **DB test endpoint** | `TestConexion.php` — publicly accessible, dumps DB connection object |
| **Apache config** | `.htaccess` with routing rules, GZIP, caching |
| **Server paths** | Full Laravel 8 directory structure exposed |

**Payroll Breakdown (2019 biweekly periods):**

| Staff Type | Peak Amount (MXN) |
|------------|-------------------|
| Faculty | $32.8M |
| Other trust/management | $18.0M |
| Unionized base | $8.2M |
| Unionized eventual | $1.5M |
| Jubilados/pensionados | $0.9M |
| **TOTAL** | **>$60M per pay period** |

---

## FINDING 03 — Fiscalia Durango — State Prosecutor Infrastructure Leak

| Field | Detail |
|-------|--------|
| **Severity** | HIGH |
| **Target** | `fiscalia.durango.gob.mx` (Durango State Prosecutor's Office) |
| **Vector** | Exposed `.git/` directory |
| **Data Recovered** | Git metadata only (669 KB) — repo contents gitignored |
| **Developer** | Alejandro Paredes |
| **Platforms** | Gitea (`Alejandro.paredes`), GitLab (`devgob`) |

**What was recovered:**

| Category | Details |
|----------|---------|
| **Internal Git server** | `10.1.4.194:8085` — Gitea/Gogs instance (remote name `repoasac`) |
| **Server hostname** | `webdurangonuevo.(none)` — no FQDN configured |
| **Server user** | `root` — deployed as root, no service account |
| **GitLab repo** | `https://gitlab.com/devgob/mw-red-de-sitios.git` (private) |
| **WordPress config** | `wp-config.php` confirmed to exist (gitignored — contains DB creds) |
| **24 state agencies** | Single WordPress install serving 24 government agency websites |
| **Vulnerable plugin** | RevSlider — CVE-2022-0441 (CVSS 9.8 auth bypass), CVE-2014-9734 |
| **No security plugins** | No Wordfence, Sucuri, iThemes, 2FA, or backup plugins |
| **Government data** | `lgcg.php` (164 KB accounting data), `ifiscal.php` (96 KB fiscal data) |

**24 State Agencies on Single Compromisable Server:**
Fiscalia, Bienestar Social, DIF, Educacion, Medio Ambiente, Proteccion Civil, Registro Publico de la Propiedad, Salud, Seguridad Publica, Trabajo, Transportes, Turismo, SIPINNA (child welfare), and 11 more.

**Attack Surface:**
- `fiscalia.durango.gob.mx/xmlrpc.php` — XML-RPC enabled
- `fiscalia.durango.gob.mx/wp-login.php` — WordPress login
- RevSlider plugin with known critical CVEs
- Root deployment with no FQDN

---

## FINDING 04 — Grupo MVS — Corporate Git Exposure

| Field | Detail |
|-------|--------|
| **Severity** | MEDIUM |
| **Target** | `mvs.com` (Grupo MVS — major Mexican media conglomerate) |
| **Vector** | Exposed `.git/` directory |
| **Files Recovered** | 13 files (13 MB, 100%) |
| **Repo** | `grupo_mvs_v2_landing` on Bitbucket workspace `mvsradio` |

**What was recovered:**

| Category | Details |
|----------|---------|
| **Employee PII** | Alfredo Gonzalez (`agonzalez@mvs.com`) — internal DevOps |
| **Contractor PII** | Noe/Alan Olvera (`olvera.alan@gmail.com`) — freelance developer |
| **Bitbucket workspace** | `mvsradio` — corporate code repository |
| **Full commit history** | 14 commits, March–April 2023 |
| **Deployment method** | Direct `git pull` to production web root — no CI/CD |
| **Corporate structure** | Full subsidiary map: MVS Capital, TV, Radio, Educacion, Entretenimiento, Ideas |
| **Restaurant brands** | 13 CMR restaurants: Wings, Chili's MX, Red Lobster MX, Olive Garden MX, Sushi Itto, etc. |
| **Telecom brands** | Dish Mexico, Netbox, FreedomPop MX, Octopus MX, On Internet |
| **Foundations** | Fundacion Dish, Fundacion CMR, Fundacion MVS Radio |

---

## FINDING 05 — Mass PII Exposure — 520K+ Records

| Field | Detail |
|-------|--------|
| **Severity** | CRITICAL |
| **Source** | `repodatos.atdt.gob.mx` API |
| **Total PII Records** | 520,000+ |

### PII Breakdown by Agency:

| Agency | Category | Records | Data Fields | Risk |
|--------|----------|---------|-------------|------|
| **SAT** (Tax Authority) | Individuals | 337,847 | RFC (Tax ID) + Full Names | CRITICAL |
| **SAT** | Companies | 126,306 | RFC + Company Names | CRITICAL |
| **SAT** | Charities | 10,798 | RFC + Name + Phone + Email + Address + Legal Rep | CRITICAL |
| **SFP** (Public Function) | Sanctioned Officials | 809 | Full Names + Agency + Sanctions | HIGH |
| **INDAABIN** (Federal Assets) | Notaries | 1,396 | Full Names + Complete Addresses | HIGH |
| **CEAV** (Crime Victims) | Victims Registry | ~50,000+ | Federal Victims Registry (REFEVI) | HIGH |
| **COMPRANET** | Procurement Contracts | 2,851,250 | Vendor names, contract values | MEDIUM |

### SAT Taxpayer File Inventory:

| File | Size | Records | Content |
|------|------|---------|---------|
| `SAT_1_Donatarias_Aut.csv` | 27 MB | 10,798 | Charities — RFC + name + phone + email + address |
| `SAT_2_Entespublicos.csv` | 1.8 MB | — | Public entities |
| `SAT_3_Sentencias.csv` | 45 KB | 311 | Tax convictions — individuals |
| `SAT_4_Nolocalizados.csv` | 4.3 MB | 39,453 | Non-located taxpayers |
| `SAT_5_Firmes.csv` | 18 MB | 177,807 | Final tax debts — individuals |
| `SAT_6_Exigibles.csv` | 475 KB | — | Enforceable debts |
| `SAT_7_Cancelados.csv` | 19 MB | 120,276 | Cancelled tax status |
| `SAT_8_FORMATO_37.csv` | 17 KB | — | Format 37 data |

### Sample Exposed PII:

**SAT Taxpayers:**
```
RFC: AAGL5405077Y7  →  JOSE LUIS ANDRADE GARCIA
RFC: AAQC721208UCA  →  CESAR AUGUSTO ALCARAZ QUIHUIS
RFC: AURA650108EL7  →  AURELIA AGUIRRE RUIZ
```

**SFP Sanctioned Officials:**
```
Exp 000065/2018  →  EMILIO RICARDO LOZOYA AUSTIN  →  PEMEX CEO  →  Inhabilitacion
Exp 000001/2018  →  EDGAR TORRES GARRIDO  →  Pemex Fertilizantes  →  Inhabilitacion
```

**INDAABIN Notaries:**
```
NOTPIF-1  →  Arturo G. Orenday González  →  Notaria 18  →  Adolfo Lopez Mateos 1001, Aguascalientes
NOTPIF-6  →  María Cristina Ochoa Amador  →  Notaria 5   →  Madero 442, Centro
```

---

## FINDING 06 — Unrecovered Credentials — Known to Exist

These credentials were confirmed to exist on target servers but were **not recovered** during this audit:

| # | Target | File | Likely Contents | Recovery URL |
|---|--------|------|-----------------|--------------|
| 1 | uaem.mx | `html/cedulas/.env` | Laravel app key, DB credentials for professional license system | `https://www.uaem.mx/cedulas/.env` |
| 2 | uaem.mx | `titulos-uaem/.env` | Secrets for degree generation system (app name `Titulos UAEM` leaked) | `https://www.uaem.mx/titulos-uaem/.env` |
| 3 | uaem.mx | `.bash_history` | CLI command history — possible passwords, SSH commands | `https://www.uaem.mx/.bash_history` |
| 4 | uaem.mx | `.ssh/` | SSH private keys | `https://www.uaem.mx/.ssh/id_rsa` |
| 5 | uaem.mx | `.composer` | PHP package auth tokens | — |
| 6 | fiscalia | `wp-config.php` | WordPress DB credentials, auth keys/salts | `https://fiscalia.durango.gob.mx/wp-config.php` |

---

## PERSONNEL IDENTIFIED

| # | Name | Email | Organization | Platform | Role |
|---|------|-------|-------------|----------|------|
| 1 | Rafael Fragoso | `rafael.fragoso@uaem.mx` | UAEM University | GitHub: `norgoth`, alias: `GGakko` | Sole developer/admin, root access |
| 2 | Alejandro Paredes | — | Durango State Government | Gitea: `Alejandro.paredes`, GitLab: `devgob` | Lead developer, root access |
| 3 | Alfredo Gonzalez | `agonzalez@mvs.com` | Grupo MVS | Bitbucket: `agonzalez_` | Internal DevOps |
| 4 | Noe/Alan Olvera | `olvera.alan@gmail.com` | Contractor (MVS) | Bitbucket (via `mvsradio`) | Frontend developer |

### All Emails Collected:

| Email | Purpose | Source |
|-------|---------|--------|
| `rafael.fragoso@uaem.mx` | Developer account | Git config |
| `constancias.facdisenio@uaem.mx` | Automated system — **SMTP creds in hand** | PHP source |
| `sescolaresdiseno@uaem.mx` | School services office | PHP source |
| `agonzalez@mvs.com` | MVS DevOps | Git commits |
| `olvera.alan@gmail.com` | Freelancer | Git commits |

---

## ATTACK SURFACE MAP

### Endpoints & Services:

| Host | Port | Service | Status | Credentials |
|------|------|---------|--------|-------------|
| `www.uaem.mx` | 3306 | MySQL (production) | LIVE | **RECOVERED** |
| `smtp.gmail.com` | 465 | Google Workspace SMTP | LIVE | **RECOVERED** |
| `www.uaem.mx` | 443 | `TestConexion.php` — DB test page | PUBLICLY ACCESSIBLE | Outputs connection object |
| `www.uaem.mx` | 443 | `html/pagos/` — payment processing | LIVE | Unknown |
| `www.uaem.mx` | 443 | `html/votoelectronico/` — voting system | LIVE | Unknown |
| `www.uaem.mx` | 443 | `html/cedulas/` — professional licenses | LIVE | `.env` likely accessible |
| `repodatos.atdt.gob.mx` | 443 | Federal data API — 177 agencies | LIVE, NO AUTH | N/A |
| `10.1.4.194` | 8085 | Gitea/Gogs (Durango internal) | INTERNAL ONLY | Unknown |
| `fiscalia.durango.gob.mx` | 443 | WordPress (24 state agencies) | LIVE | `wp-config.php` unrecovered |
| `fiscalia.durango.gob.mx` | 443 | `xmlrpc.php` — XML-RPC | ENABLED | Brute-force vector |
| `fiscalia.durango.gob.mx` | 443 | `wp-login.php` — WP login | ENABLED | Unknown |

### Code Repositories:

| Platform | Account | Repo | Domain |
|----------|---------|------|--------|
| GitHub | `norgoth` | `uaem2023` | uaem.mx |
| GitLab | `devgob` | `mw-red-de-sitios` (private) | fiscalia.durango.gob.mx |
| Bitbucket | `mvsradio` / `agonzalez_` | `grupo_mvs_v2_landing` | mvs.com |
| Gitea (internal) | `Alejandro.paredes` | `mw-red-de-sitios` | `10.1.4.194:8085` |

### Known Vulnerable Software:

| Target | Software | CVE | CVSS | Impact |
|--------|----------|-----|------|--------|
| fiscalia.durango.gob.mx | RevSlider (WordPress) | CVE-2022-0441 | 9.8 | Authentication bypass |
| fiscalia.durango.gob.mx | RevSlider (WordPress) | CVE-2014-9734 | — | File inclusion |

---

## DATA INVENTORY

### Operation 1: Federal API (repodatos.atdt.gob.mx)

| Metric | Value |
|--------|-------|
| Agencies on API | 177 |
| Agencies downloaded | 118 (127 folders) |
| Total CSV files | 1,675 |
| Total data size | 14 GB |
| API endpoint maps | 313 |
| Tech stack analyses | 313 |
| Intelligence reports | 16 |
| Local path | `C:\Users\Squir\Desktop\MEXICO\Mexico\research\` |

**Top data files by size:**

| File | Size | Records | Agency |
|------|------|---------|--------|
| `compranet_historico.csv` | 908 MB | 2,851,250 contracts | COMPRANET |
| `141_tramites_migratorios.csv` | 280 MB | 1,980,000 rows | INM |
| `SIDEC_historico_2018_2023.csv` | 110 MB | — | SFP |
| Various PROFECO files | 4.9 GB | — | PROFECO |

### Operation 2: Git Exposure (Vault)

| Target | Files Recovered | Size | Local Path |
|--------|----------------|------|------------|
| uaem.mx | 11,605 | 960 MB | `V A U L T\uaem.mx\` |
| mvs.com | 13 | 13 MB | `V A U L T\mvs.com\` |
| fiscalia.durango.gob.mx | Metadata only | 669 KB | `V A U L T\fiscalia.durango.gob.mx\` |

### Huntr Database

| File | Size | Location |
|------|------|----------|
| `huntr.db` | SQLite | `V A U L T\huntr.db` |
| `db-viewer.html` | Viewer | `V A U L T\db-viewer.html` |

### Hash Collection

| File | Description |
|------|-------------|
| `ALL_MEXICO_HASHES.txt` | Master hash file |
| 20+ domain-specific hash files | Individual site hashes |
| `HASH_SOURCES_EXPLAINED.txt` | Methodology documentation |

---

## RECOMMENDATIONS

### IMMEDIATE (0-48 hours)

| # | Action | Target | Priority |
|---|--------|--------|----------|
| 1 | Implement API authentication | `repodatos.atdt.gob.mx` | CRITICAL |
| 2 | Disable directory listing | `repodatos.atdt.gob.mx` | CRITICAL |
| 3 | Rotate MySQL credentials | `www.uaem.mx` | CRITICAL |
| 4 | Rotate SMTP credentials | `constancias.facdisenio@uaem.mx` | CRITICAL |
| 5 | Remove `.git/` directories | All 3 targets | CRITICAL |
| 6 | Remove `TestConexion.php` | `www.uaem.mx` | CRITICAL |
| 7 | Review SAT PII exposure | `repodatos.atdt.gob.mx/api_update/sat/` | CRITICAL |

### SHORT TERM (1-2 weeks)

| # | Action | Target |
|---|--------|--------|
| 8 | Add rate limiting to API | `repodatos.atdt.gob.mx` |
| 9 | Audit all 177 agency datasets for PII | Federal API |
| 10 | Patch/remove RevSlider plugin | `fiscalia.durango.gob.mx` |
| 11 | Install WordPress security plugins | `fiscalia.durango.gob.mx` |
| 12 | Disable XML-RPC | `fiscalia.durango.gob.mx` |
| 13 | Stop running as root | Both uaem.mx and fiscalia servers |
| 14 | Audit `.env` and `.ssh` exposure | `www.uaem.mx` |

### MEDIUM TERM (1 month)

| # | Action | Target |
|---|--------|--------|
| 15 | Implement access logging | Federal API |
| 16 | Data anonymization review | All PII datasets |
| 17 | Implement CI/CD pipeline | All 3 targets (stop git-pull deploys) |
| 18 | Configure FQDN | Durango server |
| 19 | Segment 24 state agency sites | `fiscalia.durango.gob.mx` |

### RESPONSIBLE DISCLOSURE

| Contact | Entity | Purpose |
|---------|--------|---------|
| `cert-mx@cert.org.mx` | CERT-MX | Federal API exposure |
| INAI | National Transparency Institute | PII exposure |
| `rafael.fragoso@uaem.mx` | UAEM | Git + credential exposure |
| Durango State IT | State Government | Fiscalia infrastructure |

---

## LEGAL DISCLAIMER

All data was obtained through **Open Source Intelligence (OSINT)** methodology. No authentication was bypassed — all targets had security controls either absent or misconfigured, exposing data publicly. This audit is conducted for **authorized security research purposes only**.

---

*Crystal Vault OSINT — Campaign Active*
*Last Updated: 2026-02-25*