// ETHICAL HACKING ROADMAP v1.0 //
crafted by FACU • learn. hack. grow.
How a 12-year-old found an RCE in NASA's satellite infrastructure
and walked away with $10,000,000
His name was Mateo Cruz. Twelve years old. Lived in a small apartment in Buenos Aires with his mom, a second-hand laptop held together with tape, and a YouTube playlist of NetworkChuck videos he'd watched seventeen times each.
His school friends played FIFA. Mateo ran nmap.
It started the way all great hacks do — with boredom and curiosity. He'd been learning about IP addresses and port scanning. He knew about Shodan. He knew about the OWASP Top 10. He practiced on TryHackMe every night after dinner while his mom watched telenovelas in the next room.
On the night of March 14th, 2019, at 2:34 in the morning, Mateo did something he'd never done before. He aimed his scanner at the internet.
He almost missed it. Most people would have. Port 9090 showed Oracle WebLogic 10.3.6 — a Java application server. Old. Very old. Mateo had seen this exact version mentioned in a Computerphile video three weeks earlier.
He opened his notes. His handwriting was messy — a 12-year-old's scrawl — but the CVE number was circled in red marker: CVE-2019-2725. An unauthenticated Remote Code Execution vulnerability in Oracle WebLogic Server. The server deserializes untrusted XML data without validation. A remote attacker can send a specially crafted HTTP request and execute arbitrary commands on the server with the privileges of the WebLogic process.
No authentication. No firewall. Port 9090, wide open to the world. Mateo's hands were shaking.
"Okay," he whispered. "Okay. Don't be stupid. Just look."
Mateo crafted the payload by hand. He didn't use Metasploit — he'd read that real hackers understand what they're sending. He built the malicious XML document that would trigger the Java deserialization gadget chain, and attached a reverse shell command.
His heart was beating out of his chest. He set up a netcat listener on port 4444. He fired the request.
The shell came back in 0.3 seconds.
He typed whoami. The server answered: weblogic. He typed uname -a. Linux. NASA. A real NASA server. He ran ls /opt/ and his screen filled with directory names: dsn-telemetry, sat-control-api, deep-space-network, voyager-uplink.
Voyager. As in Voyager 1. In interstellar space.
He could see the uplink commands. He could see satellite positioning data. He could see telemetry from spacecraft that had been flying since before his parents were born.
He took a breath. Then he closed the shell. He didn't touch anything. He opened a text document and started writing the most important email of his life.
He sent the bug report at 4:17 AM. Six pages. Screenshots. The CVE reference. A full proof-of-concept with the exploit steps. The list of sensitive directories he'd found. All the satellite systems that were reachable from the compromised server.
He signed it: "Mateo Cruz, age 12. Buenos Aires. Please don't be mad."
He went to sleep. He woke up at noon to 47 missed calls from numbers he didn't recognize. Three emails from nasa.gov addresses. One from the FBI field office in Buenos Aires. And a voicemail — in English, which his mom translated for him — that said:
"Mateo, this is the NASA Chief Information Security Officer. We need to talk. Today."
Hello NASA Security Team,
My name is Mateo. I am 12 years old and I live in Argentina. I am not a criminal. I was practicing port scanning with nmap as part of my hacking studies and I accidentally found something very serious on your servers. I am writing to you because I think it is the right thing to do.
VULNERABILITY: CVE-2019-2725 — Oracle WebLogic unauthenticated RCE via Java deserialization in the wls-wsat component. CVSS Score: 9.8 CRITICAL.
AFFECTED HOST: dsn-gateway-04.nasa.gov (198.51.100.47) — port 9090 open to the internet with no firewall.
IMPACT: I was able to obtain a remote shell as the 'weblogic' user and access the /opt/ directory which contains what appears to be satellite telemetry and control APIs including references to VOYAGER-1, HUBBLE, and ISS-COM-AUX systems. I did NOT run any commands except ls, whoami, hostname, and cat README.md. I did NOT modify anything. I immediately exited and wrote this report.
PROOF OF CONCEPT: [6 pages of documentation attached]
I hope this helps you fix the problem. Please don't arrest me. I just want to be a good hacker.
— Mateo Cruz, age 12. Buenos Aires, Argentina.
NASA's incident response team had stayed up all night verifying his report. Every single detail was correct. The vulnerability was real. The satellite control API was genuinely exposed. A malicious actor with the same access could have, in theory, disrupted deep space communications or corrupted uplink data to active spacecraft.
The patch was deployed in six hours. The port was firewalled in two. An emergency security audit was ordered across all 47 nodes in the Deep Space Network.
Three weeks later, Mateo Cruz sat in a conference room at NASA's Jet Propulsion Laboratory in Pasadena, California — his first time on an airplane, his first time leaving Argentina — wearing a hoodie that said "hack the planet" while NASA's CISO, two FBI cybercrime agents, and a lawyer looked at him from across a table.
They handed him a check.
He thought it was a mistake. He asked his mom to count the zeros.
There were seven of them.
Mateo Cruz was 12 years old when he found the vulnerability. He was 13 when NASA flew him back to Pasadena to give a talk to their security team. He was 14 when the US government granted him a special cybersecurity research visa. He was 15 when NASA hired him as a part-time security consultant — the youngest in the agency's history.
He still lives in Buenos Aires. He still uses Kali Linux. He still watches NetworkChuck videos, but now he comments corrections in the replies.
He never forgot the lesson that night taught him: the difference between a criminal and a legend is one email.
The report. The disclosure. The choice to do the right thing when no one was watching.
That's what ethical hacking is. That's what you can be.
Mateo started the same way you're starting — watching videos, running nmap, learning one thing at a time. The only difference between you and him right now is time and practice. Start the roadmap below. Stay ethical. Stay curious.
The world needs hackers like you. 🛰️