A rather serious vulnerability in a Mexican government website was put up for sale in an underground forum... for only 300 dollars! The worrying thing is that this flaw, of the RCE (Remote Code Execution) type, would give any buyer the power to execute commands directly on the server, as if they were using the government's own computer.
The publication was made by a user who goes by the name of “Stephanie”, known in these areas of illegal access buying and selling. As he explained, he found the bug in 2025 and claims that he can remotely control a server operating under the .gob.mx domain.
To prove that he was not lying, he shared several screenshots with real commands executed on the system: from the list of users, available disk space, to internal server files. In short, an open door to one of the most important systems in the country.
Read more: Russian Hackers Sell Passports and Selfies of Mexicans on Telegram
The screenshots shared by the person selling access show an actual remote control session of the server, with fairly technical commands such as id, df -h, free -h and cat /etc/passwd. For those unfamiliar, these commands allow you to see key system information, such as which users are logged in, how much disk space is available, or how much memory the machine has. In this case, the server has over 125 GB of RAM and 6.2 TB of storage, making it clear that this is not a mockup or test environment, but a fully operational system.
Everything points to it being a Linux server, probably managed with cPanel, as the folder paths and user names match that type of configuration. In addition, the tests show access to directories of official subdomains, such as “tramites.hidalgomich.gob.mx”, “respirahidalgo.gob.mx” and “declaranet.hidalgomich.gob.mx”. It is not a single compromised site, but several interconnected public services.
This type of vulnerability (known as RCE, or remote code execution) is one of the most dangerous in existence. Basically, it gives the attacker the ability to do whatever he wants inside the server: read and modify files, delete information, create backdoors, install malware, or even use that machine as a starting point to hack into other government systems.
Experts who have reviewed the evidence say it all looks very legitimate. The server infrastructure, the domains involved and the leaked data match real configurations. Although there is always the possibility that some technical detail remains in doubt, the fact is that there is enough evidence to consider this a serious security case.