The application transmits sensitive or security-critical data over an unencrypted communication channel. Because the data is sent in cleartext, an attacker with access to the network path, intermediary infrastructure, logs, packet captures, or internal traffic monitoring points may be able to intercept and read the transmitted information. This can expose credentials, session tokens, configuration data, personal information, or other sensitive application data. In some cases, an attacker may also be able to modify traffic in transit, leading to unauthorised access, session hijacking, or tampering with application behaviour.

Remediation

Ensure all sensitive communication is protected using secure transport encryption, such as HTTPS/TLS. Disable insecure protocols such as HTTP, FTP, Telnet, and other plaintext channels where sensitive data may be transmitted. Configure services to enforce encrypted connections only, use valid certificates, and apply secure TLS settings across the full session, not only during authentication. Security tests should verify that sensitive data is never transmitted over cleartext channels.