Privilege Escalation via DB Ports

Attack

Replication needs a super-admin password and an open DB port.

With SQL Replication

The attacker steals the sysadmin-level replication account via an open port 5022 and pivots into other databases.

With RMF's Object Synchronization

The sync connector only makes an outbound secure call with a short-lived, narrow-scope token through the XProtect API/SDK (provided certificates are enabled on XProtect). Even if stolen, the damage is limited, and no DB port is open.