Zombie Projects Rise Again to Undermine Security

TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTogether, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.Companies left them for dead, but the remnants of old infrastructure and failed projects continue to haunt businesses' security teams.October 30, 2025A variety of old, abandoned projects, long considered dead, continue to rise up and undermine the cybersecurity posture of the companies that created them.From code to infrastructure to application programming interfaces (APIs), these so-called "zombie" assets continue to cause security headaches for companies and sometimes lead to breaches. Oracle's "obsolete" servers, abandoned Amazon S3 buckets used by attackers to distribute malware, and the unmonitored API connecting Optus' customer-identity database to the Internet are all variations of the zombies plaguing enterprises.The lack of attention to forgotten — dare we say, "undead" — services causes cybersecurity headaches in two ways, says Andrew Scott, director of product at cybersecurity firm Palo Alto Networks."If you've got a device that has been forgotten, you're probably not looking after it, so if it were compromised, it may be hard for you to know," he says. "And the longer that those things stay out there, stay unmanaged, or not getting the TLC and patch cycles ... the more likely that they are vulnerable to risks over time."Still operating yet unmanaged devices, services, and APIs continue to be a massive cybersecurity problem for companies, expanding their attack surfaces and requiring intense efforts to discover and remediate. A third of attackers look for exposed assets, including Web-facing services (18%), external remote services (12%), and supply chains (3%), according to Microsoft's "Digital Defense Report 2025" published this month. The vast majority of organizations (84%) have seen their external attack surfaces grow — and 90% have seen a corresponding increase in impactful incidents — over the past year, according to Cybersecurity Insiders' "2024 Attack Surface Threat Intelligence Report."Related:The Best End User Security Awareness Programs Aren't About Awareness AnymoreZombie devices and software are also a form of security debt, with more than half of organizations (58%) seriously or moderately concerned over technology known to be vulnerable but which remains unpatched or lacks updates, according to Invanti's "State of Cybersecurity Exposure Management" report. Despite this, organizations continue to produce unmanaged technology, with more than half of organizations (51%), for example, running software beyond its end-of-life date.Both zombie software and devices are problems for companies.Nine in 10 codebases scanned by application security firm Black Duck have open source components that are more than 10 versions behind the current release, while 91% of codebases have packages that showed no development activity for the past two years — all of this while the number of open source files in the average application has quadrupled, according to the firm.Related:Despite More CVEs, Cyber Insurers Aren't Altering Policies Most codebases have at least one package more than four years out of date and that developers are likely unaware of. Source: Black DuckWith the vast majority of these zombie codebases (81%) containing at least one critical vulnerability, the software is a high-risk liability, says Mike McGuire, senior security solutions manager at Black Duck."That's a huge, unmanaged population of old code," he says. "More components mean a larger attack surface and more places for zombie code to hide."Unmanaged hardware is another major risk, usually because the software for an unmanaged device is no longer updated, but also because the security controls managing access to the services it provides are no longer updated. The average organization has more than 300 new services publicly accessible each month, accounting for a third of high and critical exposures, according to research published by Palo Alto Networks.These devices are often hard to find, says Palo Alto Networks' Scott."You will find hardware where the last guy who knew about that thing has left the company and no one really knows what it is or where it is," he says. If a serious vulnerability or authentication is uncovered, it will push it higher on the priority list for patching, he adds. Related:7 Lessons for Securing AI Transformation From Digital Guru Jennifer Ewbank"[But] we do see plenty of things that are old and the company just decided, 'Hey, it's going to be a lot of manpower to go and track those things down. I'm not that worried about it,'" Scott says.Cloud infrastructure has made managing attack surfaces even more complicated.Every night at midnight UTC, the free digital certificate service Let's Encrypt runs into its own zombie problem. The hardware belonging to organizations that have allowed domain names to lapse, home users with dynamic-DNS domains, and administrators who have failed to deprovision old Web services wakes up and sends a renewal request to its servers. Because the requests are invalid, they do not result in a certificate being generated and sent.However, because the service covers 670 million active certificates, even a small percentage of zombie clients uses a significant amount of resources, wrote Samantha Frank, a senior software engineer at Let's Encrypt."Unlike a human being, software doesn't give up in frustration, or try to modify its approach, when it repeatedly fails at the same task," she wrote. "[Automation] is great when those renewals succeed, but it also means that forgotten clients and devices can continue requesting renewals unsuccessfully for months, or even years."To solve the problem, the organization has adopted rate limiting and will pause account-hostname pairs, immediately rejecting any requests for a renewal.Other zombie infrastructure includes APIs. Overall, attacks on APIs grew by 41% in 2024, with attacks on shadow and zombie APIs — defined as "undocumented" and "forgotten" endpoints, respectively — allowing attacks on business logic flaws and sensitive data to be conducted without detection, according to cloud-security firm Radware's "2025 Cyber Threat Report."Companies often deploy a new version of an API while leaving the old version for backward compatibility, but they subsequently forget to decommission the legacy code, says Pascal Geenens, vice president of cyberthreat intelligence at Radware."Typically, those zombie APIs were written many years ago, and they weren't written with the same controls and the same secure code — and maybe the company switched to a more secure programming language, like Rust instead of C++ that they used before," he says.The rapid development of pilot artificial intelligence (AI) projects have left some companies with significant security debt: zombie services connected to real company data that continues to be accessible. One customer of exposure-management firm Tenable, for example, transitioned from Microsoft Copilot, but when the company scanned its network, it found "tens of endpoints" still accessible and open to the Internet, says Tomer Avni, vice president of product for the company.A variety of flaws and misconfiguration can affect forgotten AI services. Source: Tenable"Basically anyone on the Internet could communicate with those agents and query sensitive data," he says. And because the company had moved on from Microsoft Copilot Enterprise, it didn't have the permissions to fix the issue, he explains.The vast majority of organizations today are either running (55%) or piloting (34%) AI workloads, and a third have already experienced an AI-related breach, according to Tenable's "State of Cloud and AI Security 2025" report.Automation is key to tackling the issue of zombie services, devices, and code. Scanning the package manifests in software, for example, is not enough, because nearly two-thirds of vulnerabilities are transitive — they occur in software packages imported by another software package. Scanning manifests catches only about 77% of dependencies, says Black Duck's McGuire."Focus on components that are both outdated and contain high- [or] critical-risk vulnerabilities. Deprioritize everything else," he says. "Institute a strict and regular update cadence for open source components. You need to treat the maintenance of a third-party library with the same rigor you treat your own code."AI poses an even more complex set of problems, says Tenable's Avni. For one, AI services span across a variety of endpoints. Some are software-as-a-service, some are integrated into applications, and others are AI agents running on endpoints. In addition, AI agents routinely connect to third-party services, which could result in exposing sensitive data to untrusted environments. A developer using Cursor and connecting it to the DeepSeek foundational AI model may be violating policy.The security team needs to hunt for shadow AI and zombie endpoints across the entire company, as well as the services used by employees. Looking at network traffic alone will not do this, says Avni, so spreading sensors throughout the infrastructure is important."This is a much bigger challenge than what we used to experience because the solution spans across different people and groups," Avni says. "Sometimes the security team is siloed — there are endpoint people, cloud people — and this problem actually requires all of them to sit together and to look at it together."Read more about:Robert Lemos, Contributing WriterVeteran technology journalist of more than 20 years. Former research e