South Africa: The State Says Its Computer Systems Are Secure. We Looked. They're Not

3 June 2026
GroundUp (Cape Town)
By Joel Cedras and Nathan Geffen

SITA's internet services have more than 5,000 security flaws

The State Information Technology Agency (SITA) is responsible for much of the state's computer systems including websites. On 24 May SITA published a statement denying social media claims that "SITA and government infrastructure" had been hit by a "cyberattack or unauthorised access".

"Our Systems Remain Secure," said the statement.

Follow us on WhatsApp | LinkedIn for the latest headlines

We used a standard industry tool to examine the government's internet services. These are hosted mostly, but not only, on the gov.za domain.

We looked at the section of the internet for which SITA is responsible separately to other government sites. In this article we show the results of the SITA network only.

We found that the government's systems are insecure.

The details are technical, so we have divided this article into two parts. The first part is a simplified non-technical description of the problem. The second part, for those who are interested, is a technical description.

Simple explanation

We investigated SITA's internet space using Shodan, a search engine for internet-connected devices. Our analysis shows that SITA has hundreds of public-facing services that use outdated technologies and have numerous known software vulnerabilities. Some of the insecure services include those of the Deeds Office, the Limpopo health department and the Western Cape government, but there are many, many more.

In response to our questions, SITA told us that it is only responsible for about 37% of government services. We're not sure what on the SITA network SITA itself is directly responsible for. When we asked, SITA told us this information is confidential.

SITA said it "performs regular security assessments and vulnerability analyses on all systems under its direct management". But its own site is vulnerable. (Read SITA's responses to our first set of questions and second set of questions.)

When cybersecurity people identify vulnerabilities in commonly used software, they eventually publish these in a public database so that IT workers can be aware of them and take appropriate action. These vulnerabilities are called CVEs (for Common Vulnerabilities and Exposures).

CVEs get a score from 0 to 10. The higher the score, the more severe the issue is.

The SITA network has over 900 unique CVEs. Of these, 126 are critical. These CVEs are repeated across the SITA network, with just over 5,000 vulnerabilities in total.

Much of the software on the SITA network is outdated. The SITA website itself, https://www.sita.co.za, has outdated, insecure software.

It is hard to overstate how serious this is. For example, when the GroundUp site has only one serious outstanding CVE, we rush to sort it out, as any responsible maintainer of a critical system does.

This is despite SITA's claim that their "security operations teams operate on a continuous, 24/7 basis and are equipped with monitoring and threat-detection capabilities".

The oldest security flaw on SITA's network was revealed in 2006 (see here, here and here, for example) when Thabo Mbeki was president. It is still there, repeated over and over across the network.

10/10 vulnerabilities

Many of the CVEs have known exploits (ways to get into the system), including seven of the most critical CVEs. In other words, people with ill intentions can take advantage of the vulnerabilities on the SITA network. Some relate to Microsoft Exchange Server, which hosts some government email services.

In 2021, a group of state-sponsored attackers used an exact vulnerability (dubbed ProxyLogon) present on the SITA network to break into Microsoft Exchange Server sites belonging to organisations around the world. This allowed them to access the mail of all users. The vulnerabilities were fixed at the time by Microsoft, but some SITA assets still appear vulnerable.

Some of the CVEs relate to Microsoft's file-sharing protocols. These carry the maximum possible severity rating of 10 out of 10. They have been used by attackers to break into servers and deploy ransomware and other malware.

These are not flaws that require highly sophisticated skills and tools to exploit. There are ready-made tools that have been publicly circulating for years that do it for you.

Technical details

We ran our Shodan analysis of the SITA ASN (AS37130) on 24 May, and re-ran it on 2 June.

Shodan identified 2,150 exposed services across 1,112 unique internet-facing hosts. Of those, 152 hosts were identified as having at least one known vulnerability - one in seven. The dataset spanned more than 30 identifiable government departments that have IT services managed by SITA.

There were over 900 unique CVEs. Of these, 125 are critical (9.0 - 10.0). In total (with duplication), there were 5,014 CVEs across the network.

Some Shodan vulnerability matches are based on detected software versions, and will be false positives. Nevertheless, it is clear that many systems on the SITA ASN are old, exposed, and insufficiently maintained.

Read the original article on GroundUp.

Tagged:
Copyright © 2026 GroundUp. All rights reserved. Distributed by AllAfrica Global Media (allAfrica.com). To contact the copyright holder directly for corrections — or for permission to republish or make other authorized use of this material, click here.

AllAfrica publishes around 600 reports a day from more than 90 news organizations and over 500 other institutions and individuals, representing a diversity of positions on every topic. We publish news and views ranging from vigorous opponents of governments to government publications and spokespersons. Publishers named above each report are responsible for their own content, which AllAfrica does not have the legal right to edit or correct.

Articles and commentaries that identify allAfrica.com as the publisher are produced or commissioned by AllAfrica. To address comments or complaints, please Contact us.