Using only passive data sources — Shodan InternetDB, Certificate Transparency logs, and DNS resolution — we mapped the externally visible attack surface of Iranian government infrastructure. No packets were sent to any Iranian system. Every finding comes from pre-indexed public data. What we found is a government whose civilian digital infrastructure is critically exposed while its military networks have retreated entirely behind the national firewall.
The Diplomatic Mail Server
The most significant finding is the mail server for Iran's Ministry of Foreign Affairs at 109[.]201[.]11[.]102. Shodan identifies the hostname as cp.mfa.gov.ir — the "cp" prefix indicating a cPanel control panel installation on the same host that processes diplomatic email.
The server runs Exim 4.98 and exposes five ports: SMTP (25), SMTPS (465), Submission (587), IMAPS (993), and mDNS (5353). Its TLS certificate is self-signed. Shodan's InternetDB reports three high-severity CVEs:
| CVE | CVSS | Impact |
|---|---|---|
| CVE-2025-30232 | 8.1 HIGH | Use-after-free in Exim 4.96–4.98.1 enabling privilege escalation |
| CVE-2025-26794 | 7.5 HIGH | Remote SQL injection in Exim 4.98 via SQLite hints and ETRN serialization |
| CVE-2025-67896 | 7.0 HIGH | Remote heap-based buffer overflow in Exim rate-limit configurations |
This is the server that handles communications between Iran's embassies worldwide and the Foreign Ministry in Tehran. Three unpatched vulnerabilities — one enabling remote code execution via buffer overflow, another allowing SQL injection without authentication — on the system that processes diplomatic cables. The self-signed certificate means any nation-state adversary performing a man-in-the-middle attack would not trigger certificate warnings that a properly issued cert would produce, because there are no proper trust chains to break.
The Government IT Block: 185.37.55.0/24
A /24 network block associated with Iranian government IT services contains 35 hosts with notable security issues. The highlights:
SMBGhost (CVE-2020-0796) — CVSS 10.0 Critical at 185[.]37[.]55[.]244: A Windows server exposes port 445 (SMB) to the public internet. Shodan confirms Microsoft IIS 10.0 on Windows with ports 80, 110, 135, 143, and 445 open. SMBGhost is a wormable remote code execution vulnerability — no authentication required, no user interaction needed. An attacker can achieve full SYSTEM-level access with a single crafted packet. This vulnerability has had public exploits available since 2020.
MS15-034 (CVE-2015-1635) at 185[.]37[.]55[.]104: A Windows Server running IIS 8.5 is vulnerable to a 10-year-old critical remote code execution flaw in HTTP.sys. A crafted Range header in an HTTP request triggers a kernel-level buffer overflow. This CVE was published in 2015 and patched the same year. It remains unpatched on this government server.
MariaDB 10.0.38 on port 3306 at 185[.]37[.]55[.]1: A database server directly exposed to the internet running software that reached end-of-life on March 31, 2019 — missing seven years of security patches. Certificate Transparency logs associate this IP with admin.news.mrud.ir, a news administration server for the Ministry of Roads and Urban Development. The server also runs nginx 1.20.1 (also EOL) and carries three additional CVEs.
VMware ESXi 6.0.0 at 185[.]37[.]55[.]206: An internet-exposed hypervisor running software that reached end-of-general-support in March 2022. ESXi is the platform that runs virtual machines — a compromised hypervisor means access to every VM running on it. ESXi has been a primary target for ransomware groups (ESXiArgs, Royal, Black Basta) who specifically seek out exposed instances to encrypt entire virtualization environments.
Additional findings across the /24 include: MySQL 5.7.11 with FTP and RDP exposed on the same host (185[.]37[.]55[.]162), IIS 8.0 on Windows Server with RDP exposed and tagged as end-of-life OS (185[.]37[.]55[.]85), 15 hosts running end-of-life software, and 28 hosts with known CVEs. The block also contains cPanel installations, self-signed certificates, and multiple instances of PHP 7.x (end-of-life since November 2022).
| Metric | Count |
|---|---|
| Hosts with known CVEs | 28 |
| Hosts running EOL software | 15 |
| Exposed databases | 2 |
| Exposed RDP (port 3389) | 2 |
| Exposed FTP (port 21) | 3 |
| VMware ESXi hypervisors | 1 |
| Critical RCE CVEs | 2 |
The Shared Hosting Problem
The Iranian Presidential office (president.ir), Ministry of Foreign Affairs (mfa.ir), National Iranian Oil Company (nioc.ir), state news agency IRNA (irna.ir), and Mehr News (mehrnews.com) all resolve to the same two IP addresses: 185[.]143[.]233[.]235 and 185[.]143[.]234[.]235.
Both IPs expose cPanel and WebHost Manager ports to the public internet:
| Port | Service |
|---|---|
| 2082 | cPanel (HTTP) |
| 2083 | cPanel (HTTPS) |
| 2086 | WHM (HTTP) |
| 2087 | WHM (HTTPS) |
| 2095 | Webmail (HTTP) |
| 2096 | Webmail (HTTPS) |
| 8080, 8443, 8880 | Additional web ports |
This means the President of Iran's website, the Foreign Ministry, and the National Iranian Oil Company are all hosted on the same commercial shared server. A compromise of any one tenant — or the hosting provider itself — risks lateral movement to all others. The cPanel login pages are accessible from anywhere in the world, enabling brute-force attacks, credential stuffing, and exploitation of any cPanel CVE.
The Government portal (dolat.ir) and Ministry of Interior (moi.ir) are on a separate pair of shared hosting IPs at providers sinaweb.net and eqra.net, with the same cPanel port exposure.
Perhaps most remarkably, Iran's own CERT (cert.ir) — the Computer Emergency Response Team responsible for defending government infrastructure — is hosted on the same shared platform at 185[.]143[.]233[.]41. Shodan identifies a co-tenant: ketabsal.ir, a bookstore. The national cyber defense organization shares a web server with an online bookshop.
The Military Firewall
In stark contrast to the civilian infrastructure, every military and intelligence domain we tested is completely unreachable from outside Iran:
| Domain | Organization | Status |
|---|---|---|
mod.ir | Ministry of Defense | DNS timeout |
aja.ir | Army (Artesh) | DNS timeout |
police.ir | Police | DNS timeout |
aeoi.org.ir | Atomic Energy Organization | DNS timeout |
nstri.ir | Nuclear Science & Technology Research | DNS timeout |
basij.ir | Basij Mobilization Force | DNS timeout |
sepah.ir | IRGC (Islamic Revolutionary Guard Corps) | NoNameservers |
irgc.ir | IRGC (alternate) | NXDOMAIN |
navy.ir | Navy | NXDOMAIN |
DNS resolution either times out (nameservers exist but refuse to respond to external queries), returns NoNameservers (SERVFAIL), or NXDOMAIN (no DNS record exists). These domains likely resolve only within Iran's National Information Network (NIN/SHOMA), the country's domestic intranet. irgc.ir and navy.ir have no DNS records at all — they either don't exist or operate on an entirely separate namespace.
The dichotomy is striking: military and nuclear infrastructure is completely dark to the outside world, while the Presidential office, Foreign Ministry, and national oil company sit on shared commercial hosting with management ports exposed to every scanner on the internet.
Conclusion
Iranian government civilian infrastructure exhibits the security posture of a small business, not a nation-state. A single /24 block contains two critical remote code execution vulnerabilities (SMBGhost and MS15-034) that have had public exploits for years. The diplomatic mail server runs unpatched software with three high-severity CVEs. The President's website shares a cPanel server with the oil company and the state news agency. And the national CERT — the organization charged with fixing all of this — is hosted next to a bookshop on the same shared infrastructure it should be auditing.
The military, by contrast, has simply disappeared from the internet entirely. Whether this reflects a deliberate security strategy or merely the organizational divide between civilian and military IT procurement, the result is the same: Iran's public-facing government infrastructure is a target-rich environment, and the resources that should be protecting it are hosted on the same vulnerable platform.