Replication needs a super-admin password and an open DB port.
Open port for super admin
With SQL Replication
The attacker steals the sysadmin-level replication account via an open port 5022 and pivots into other databases.
Hacker Exploits Open Port
With RMF's Object Synchronization
The sync connector only makes an outbound secure call with a short-lived, narrow-scope token through the XProtect API/SDK (provided certificates are enabled on XProtect). Even if stolen, the damage is limited, and no DB port is open.
