The security of academic information systems needs consideration to anticipate various threats, resulting in data leakage, misuse of information, modification, and data destruction. There are 36 public and private universities that utilize the academic information system provided by the software developed by Company XYZ. Limited resources in universities contribute to the weak handling of vulnerabilities in academic information systems. The research aims to determine the vulnerability level of academic information systems developed by Company XYZ through penetration testing. The research employs a deductive approach to explore academic system vulnerabilities based on incidents related to system security issues at a university. The research utilizes a combination of two testing methods: Penetration Testing Execution Standard (PTES) and Open Web Application Security Project (OWASP), chosen for their reliability, ease of use, and support by penetration testing tools. Penetration testing follows the PTES, involving seven steps: pre-engagement interaction, information collection, threat modeling, vulnerability analysis, exploitation, postexploitation, and reporting. The threat focus in the research aligns with the top 10 of 2021 OWASP, ranking the ten most critical security risks. Results reveal eight critical security issues based on measurements using the Common Vulnerability Scoring System (CVSS) method. There are two high-level vulnerabilities, five medium-level vulnerabilities, and one low-level vulnerability. Moreover, the three principal vulnerabilities are Structured Query Language (SQL) Injection, broken access control, and weak encryption. Universities can enhance data integrity by independently remediating vulnerabilities discovered in the research. Furthermore, universities are encouraged to raise awareness within the academic community regarding the security of academic data.