Re: Being fair to Marriott
“Due Diligence...perhaps a pentest pre acquisition...then there is the two years since they bought it.“
I suspect this maybe a case of a large, decentralised infrastructure - it could be as simple as a long forgotten dial up connection that was used for support in the distant past.
Comprehensively testing for that type of flaw can be challenging and easily overlooked in the midst of cost cutting, staff changes and an acquisition.