Diplomatic Mail and Open Databases: Iranian Government Infrastructure Exposed | Intercept Cell
Passive reconnaissance of Iranian government internet-facing infrastructure reveals systemic security failures across civilian, diplomatic, and IT organizations. The Ministry of Foreign Affairs' mail server \u2014 handling diplomatic communications between Tehran and its embassies \u2014 runs Exim 4.98 with three high-severity CVEs including remote SQL injection and a heap buffer overflow. A government IT network block at 185.37.55.0/24 contains a host vulnerable to SMBGhost (CVE-2020-0796, CVSS 10.0) with SMB exposed to the internet, a 10-year-old unpatched MS15-034 RCE on IIS, an internet-facing MariaDB seven years past end-of-life, and a VMware ESXi 6.0 hypervisor. The Presidential office, Foreign Ministry, National Iranian Oil Company, and state news agency IRNA all share the same commercial hosting with cPanel management ports exposed. Iran's own CERT website sits on the same shared infrastructure. Meanwhile, every military and intelligence domain \u2014 IRGC, Army, Basij, Atomic Energy, Police \u2014 is completely unreachable from outside Iran, hidden behind the national firewall.
Using only passive data sources \u2014 Shodan InternetDB, Certificate Transparency logs, and DNS resolution \u2014 we mapped the externally visible attack surface of Iranian government infrastructure. No packets were sent to any Iranian system. Every finding comes from pre-indexed public data. What we found is a government whose civilian digital infrastructure is critically exposed while its military networks have retreated entirely behind the national firewall. The most significant finding is the mail server for Iran's **Ministry of Foreign Affairs** at 109[.]201[.]11[.]102. Shodan identifies the hostname as cp.mfa.gov.ir \u2014 the "cp" prefix indicating a cPanel control panel installation on the same host that processes diplomatic email. The server runs **Exim 4.98** and exposes five ports: SMTP (25), SMTPS (465), Submission (587), IMAPS (993), and mDNS (5353). Its TLS certificate is **self-signed**. Shodan's InternetDB reports three high-severity CVEs: This is the server that handles communications between Iran's embassies worldwide and the Foreign Ministry in Tehran. Three unpatched vulnerabilities \u2014 one enabling remote code execution via buffer overflow, another allowing SQL injection without authentication \u2014 on the system that processes diplomatic cables. The self-signed certificate means any nation-state adversary performing a man-in-the-middle attack would not trigger certificate warnings that a properly issued cert would produce, because there are no proper trust chains to break. A /24 network block associated with Iranian government IT services contains **35 hosts** with notable security issues. The highlights: