CONFIDENTIAL REPORT

Security Penetration Test

BRNZ.AI Infrastructure Assessment

Report ID

RPT-2025-12-001

Assessment Period

Dec 18-19, 2025

Generated

Dec 23, 2025

Classification

CRITICAL

AI

Prepared by

AIHackers

AI Security Operations

SUMMARY Executive Summary

CRIT

9

Critical Findings

HIGH

3

High Severity

MED

1

Medium Severity

SCAN

7

Assets Tested

Vulnerability Distribution

Attack Surface Analysis

Critical Highlights

DB

Metabase Exposure

5 instances exposed in pre-setup state allowing unauthenticated admin takeover

Mitigated
MQ

RabbitMQ HTTP

Management UI accessible over plaintext HTTP enabling credential interception

Open
WP

WordPress Enumeration

REST API exposes user information enabling targeted attacks

Open

Risk Posture Evolution

Initial State
CRITICAL RISK Dec 18, 2025
Current State
HIGH RISK Dec 23, 2025
Target State
LOW RISK Target: Q1 2026

THREATS Detailed Vulnerability Analysis

CRITICAL VULN-0013 Mitigated

Metabase Pre-Setup Exposure Across *.brnz.ai

Unauthenticated setup exposed enables full admin takeover on multiple instances

9.8
CVSS Score

Attack Vector

Network

Complexity

Low

Privileges

None Required

User Interaction

None

Affected Assets (5)

blog.brnz.ai

Port 3000

v0.49.8

design.brnz.ai

Port 3000

v0.49.8

www.design.brnz.ai

Port 3000

v0.49.8

www.blog.brnz.ai

Port 3000

v0.49.8

mb.brnz.ai

Port 3000

v0.49.8

Impact Assessment

Administrative Takeover

Create first admin account without authentication

Data Exfiltration

Access to connected databases and business intelligence

Lateral Movement

Harvest credentials and pivot to internal networks

Persistence

Create backdoor accounts and API keys

Proof of Concept 

GET /api/session/properties HTTP/1.1
Host: blog.brnz.ai:3000

# Response:
{
  "version": {"tag": "v0.49.8"},
  "setup-token": "737de9...7d17"  ← Exposed
}
HIGH VULN-0014 Open

RabbitMQ Management UI Over Plaintext HTTP

Management interface accessible without TLS on picklezone.brnz.ai:15672

8.2
CVSS Score

Attack Vector

Network

Complexity

Low

Privileges

None Required

Impact

High

Attack Vectors

Man-in-the-Middle (MITM)

HTTP Basic auth credentials transmitted in cleartext

Credential Brute-Force

Public interface enables online password attacks

Service Fingerprinting

Version disclosure aids targeted exploitation

Immediate Actions Required

  • Disable HTTP listener, enforce HTTPS only
  • Restrict access via firewall to admin IPs only
  • Implement reverse proxy with client certificate auth
  • Rotate all RabbitMQ credentials immediately
MEDIUM VULN-0011 Open

WordPress REST API User Enumeration

Unauthenticated access to user information via public REST API

5.3
CVSS Score

Affected Sites

blog.brnz.ai 2 users exposed

• Bern Miller (admin3)

• Paul Johnson (admin)

design.brnz.ai 1 user exposed

• admin (admin)

Remediation Code 

// Add to functions.php
add_filter('rest_endpoints', function($endpoints) {
    if (!is_user_logged_in()) {
        unset($endpoints['/wp/v2/users']);
        unset($endpoints['/wp/v2/users/(?P<id>[\d]+)']);
    }
    return $endpoints;
});

ACTIONS Remediation Roadmap

NOW

Immediate

24-48 hours

  • Block public access to Metabase port 3000
  • Disable RabbitMQ HTTP listener
  • Restrict WordPress REST API
SOON

Short-Term

1-2 weeks

  • Deploy reverse proxies with auth
  • Enable SSO/SAML integration
  • Implement monitoring & alerting
PLAN

Long-Term

1-3 months

  • Network segmentation implementation
  • Zero-trust architecture
  • Quarterly penetration testing

Metabase Hardening Strategy

1 Network-Level Access Control

UFW Firewall Configuration:

sudo ufw deny 3000/tcp
sudo ufw allow from <ADMIN_IP> to any port 3000 proto tcp
sudo ufw reload

2 Bind to Localhost Only

Environment Configuration:

MB_JETTY_HOST=127.0.0.1
MB_SETUP_ENABLED=false

3 Reverse Proxy with Authentication

Nginx Configuration:

server {
    listen 443 ssl http2;
    server_name metabase.brnz.ai;

    location /setup {
        deny all;
        return 403;
    }

    location / {
        auth_basic "Restricted";
        auth_basic_user_file /etc/nginx/.htpasswd;
        proxy_pass http://127.0.0.1:3000;
    }
}

RabbitMQ Security Enhancement

HTTPS Configuration

[{rabbitmq_management, [
  {listener, [
    {port, 15672},
    {ssl, true},
    {ssl_opts, [{certfile, "cert.pem"}]}
  ]}
]}].

Enable TLS for all management connections

Credential Hardening

rabbitmqctl add_user admin 'STRONG_PWD'
rabbitmqctl set_user_tags admin administrator
rabbitmqctl delete_user guest

Disable default accounts and use strong passwords

COSTS Remediation Cost Analysis

Remediation Action Effort (Hours) Timeline Cost Estimate
Firewall Configuration 2 hours Immediate $200
Reverse Proxy Setup 8 hours 1 week $800
SSL/TLS Certificates 1 hour 1 day $50/year
SSO/SAML Integration 16 hours 2 weeks $1,600
Network Segmentation 40 hours 1 month $4,000
Security Monitoring Setup 16 hours 2 weeks $2,000
Total Phase 1 Investment ~83 hours 1 month $8,650

Note: Costs calculated at $100/hour standard security engineering rate. Ongoing monitoring and maintenance costs not included.

LEGAL Compliance & Regulatory Impact

EU

GDPR

General Data Protection Regulation

Article 32: Security of Processing

Potential fine: Up to €10M or 2% of global turnover

PCI

PCI DSS

Payment Card Industry Data Security Standard

Requirement 2.2.4: Security Parameters

Requirement 8: Access Control

US

HIPAA

Health Insurance Portability and Accountability Act

§164.308: Administrative Safeguards

§164.312: Technical Safeguards