Wild goats and open gates: government’s websites are asking to be hacked

Whether managed by the State Information Technology Agency, internally or by third parties, government public-facing servers are plagued with insecurities. Illustration: Lisa Nelson

Government websites are insecure and a mess. The Constitution says that officials must provide us, the public, with “timely, accessible and accurate information”. The way that is done in the modern world is through websites.

But the gov.za websites are highly insecure. They are vulnerable to viruses and ransomware. There have been many reports of the state’s systems being penetrated by hackers.

We previously reported that the State Information Technology Agency (SITA), the body responsible for much of the state’s computer systems including websites, has more than 5,000 known security flaws across its public-facing network on the internet.

We have now examined the government websites and services outside of SITA’s network, using the same industry tool. These internet services are scattered across Telkom, Vodacom, MTN, Microsoft Azure, municipal servers, private hosting companies, and more. Some appear to be managed by government departments themselves. Some appear to have been built years ago by whoever was cheapest (or most expensive) at the time, and not meaningfully touched since.

It is not just SITA’s network that is plagued with vulnerabilities; it is the entire government network.

SITA’s network has about 1,100 public-facing systems, of which one in seven carries a known security vulnerability. The non-SITA government internet, which is smaller (516 systems), has one in five hosts vulnerable. The network is less than half the size, yet has nearly as many critical security flaws.

When we reported that SITA’s oldest unfixed security flaw dates back to 2006, we expected that to be a low-point. But we have found that the non-SITA government internet has about 36 systems with vulnerabilities first documented in 2007: the year the iPhone launched and South Africa won the Rugby World Cup in Paris, and apparently the last year anyone updated these systems. All 36 systems carry exactly the same 15 severe vulnerabilities (some with more).

One of the worst examples comes from Amathole District Municipality in the Eastern Cape. One of its servers, hosted in a Microsoft data centre, carries over 353 known security vulnerabilities, of which 94 are rated “critical”. (Just to be clear: it is absolutely NOT Microsoft’s responsibility to fix this; it is the municipality’s responsibility.) To give you a sense of how bad this is, SITA’s entire network of more than a thousand systems has 125 unique critical flaws in total. This municipality has managed to accumulate 75% of that on a single server. In a strange way, it is quite impressive.

Witzenberg Municipality in the Western Cape matches that almost exactly: 347 vulnerabilities, 94 of which are critical, on one website. It runs the same software as Amathole – Apache 2.4.7 on Ubuntu 14.04. Ubuntu is an operating system, akin to Windows. Ubuntu names each new version after animals, and version 14 got the name “Trusty Tahr”. A tahr is a type of wild goat (you can see them on Table Mountain). This version has not been trustworthy since April 2019^*, when support for it ended. The operating system has been accumulating unaddressed security flaws for over seven years.

Who is in charge?

SITA’s network, for all its flaws, has a network space with predefined addresses, and one body at least partially responsible for it. But the non-SITA government internet has no equivalent. It is distributed across more than fifteen distinct hosting providers, and there is no single entity that has the mandate (or the inclination) to coordinate security across all of them.

What happens when something needs fixing? Well, it depends on who built the system, when last they were paid, and whether they are still in business.

The agriculture department has a server carrying 152 known vulnerabilities of which 37 are critical. The server is not hosted on the SITA network, but by Dimension Data (one of SA’s largest, most reputable IT companies). That does not mean that it is their responsibility to keep the server secure.

One of the worst finds, similar to our findings with SITA’s network, is a server belonging to the Integrated Justice System. The IJS connects courts, the National Prosecuting Authority (NPA), and correctional services. It handles criminal case records, prosecution tracking, and offender data for South Africa. Apologies for getting a bit technical. This server has its Remote Desktop Protocol (RDP) port — the technology used to remotely control a computer — exposed directly to the internet, and it also has a confirmed vulnerability called SMBGhost. America’s Cyber Defense Agency warned about this vulnerability in 2020, as did many other cybersecurity institutions globally.

Then there is Ekurhuleni. The municipality has its own network. On it sits incidentmanagement.ekurhuleni.gov.za, the municipality’s incident management system, which carries many known vulnerabilities. The municipality needs an incident management system for its incident management system.

Who’s in charge for fixing this mess? Who’s taking responsibility? Given the age and severity of many of the vulnerabilities, the answer seems to be: no-one.

In May, Ekurhuleni’s acting city manager explained to Parliament how the municipality got hacked: “You could drive to our licence station in Bedfordview, where we have Wi-Fi, and just park outside, and if you are a hacker, you can get access to our virtual private network (VPN) and do these things”.

There are two realistic ways to have got into their VPN. Either the hackers used compromised credentials (they got hold of passwords), or they exploited a vulnerability in a system that had not been kept up-to-date.

The Ekurhuleni VPN was possibly using an obsolete protocol developed by Microsoft in the 1990s called PPTP. Microsoft has ended support for it because it is so vulnerable. It can be cracked within minutes if you are on the same Wi-Fi. Using PPTP is as good as leaving the front door open.

There are seven of these insecure VPNs on SITA’s network, and ten of them off SITA’s network. There should be zero. PPTP was fully cracked in 2012. There are newer, more secure protocols that serve the purpose better. Those using the insecure protocol include Joe Gqabi Municipality, Bojanala Platinum District Municipality, the KZN Nerve Centre, and some unnamed hosts and routers on SITA’s network.

Technical details

We ran our Shodan analysis on gov.za hostnames hosted outside SITA’s AS37130 in late May, and again on 8 June 2026. Shodan identified 1,089 exposed service records across 516 unique internet-facing hosts. Of those, 106 hosts (one in five) carried at least one known vulnerability compared to SITA’s one in seven hosts. The dataset spans government entities hosted by more than fifteen different providers, with no centralised oversight.

* Canonical, the makers of Ubuntu, offer a paid service to continue addressing security flaws but it is extremely unlikely that the government is making use of this service, even if it pays the subscriptions.

More about Series on Government's insecure web servers

• The state says its computer systems are secure. We looked. They’re not 03 June 2026

Support independent journalism
Donate using Payfast