A new cybersecurity report has revealed alarming security lapses across America’s energy infrastructure. According to findings by security firm SixMap, 21 of the United States’ leading energy companies are operating with a combined total of 5,750 network vulnerabilities, the majority of which are high or critical in severity.
Released Tuesday, the report underscores growing concerns about the resilience of one of the country’s most vital infrastructure sectors. SixMap’s research indicates that approximately 66% of the vulnerabilities discovered could lead to significant cyber threats if exploited. Of the total, nearly 380 flaws are currently being exploited in the wild, signalling an immediate threat to operational integrity.
FCRF Launches India’s Premier Certified Data Protection Officer Program Aligned with DPDP Act
The findings also highlight 43 unique Common Vulnerabilities and Exposures (CVEs) shared by at least 10 of the evaluated companies, with six known to be actively targeted by threat actors. The vulnerabilities were identified via external scans of both IPv4 and IPv6 infrastructure, including web domains and IP addresses.
Energy Sector Under Growing Threat from Sophisticated Actors
While the U.S. energy sector has long been considered a relatively hardened component of national critical infrastructure, this latest audit reveals serious blind spots, particularly in how companies manage and monitor exposed ports and assets.
SixMap CEO Jason Kaplan explained that many vulnerabilities reside within ephemeral port ranges, which are often skipped by default in most vulnerability scans. These overlooked areas, he said, are increasingly being targeted by cybercriminals and state-linked threat actors. Moreover, the report warns that existing exposure management tools are ineffective at scanning IPv6 assets, leaving key portions of energy networks unmonitored. As a result, attackers could potentially exploit these hidden assets without detection.
The report comes amid a broader uptick in cyber incidents targeting energy providers, from financially motivated ransomware campaigns to attacks linked to geopolitical conflict. In recent years, energy infrastructure in the U.S. has been a focal point for cyber activity, raising national security concerns.
SixMap did not disclose company names due to the sensitive nature of the vulnerabilities. However, the firm emphasized that proactive mitigation, internal audits, and advanced scanning techniques are critical to defending against escalating cyber threats.