The cyber-security company made its discovery by looking for building management system controllers made by Trend Control Systems via the internet of things (IoT) search tool Shodan.
It knew that a model, released in 2003, could be compromised when exposed directly to the net, even if it was running the latest firmware.
- What is the internet of things?
- How to beat security threats to internet of things?
- Deception tech helps to thwart hackers’ attacks
Mr Munro said it had taken him less than 10 seconds to find more than 1,000 examples.
In addition to the schools, he said he had seen cases involving retailers, government offices, businesses and military bases.
Pen Test blogged about its findings earlier in the week, but the BBC delayed reporting the issue until it had contacted and alerted all of the schools that could be identified by name.
West Sussex-based Trend Control Systems advises its customers to use skilled IT workers to avoid the problem.
But it responded to criticism that it could have done more to check its kit had been properly installed after the fact.
“Trend takes cyber-security seriously and regularly communicates with customers to make devices and connections as secure as possible,” said spokesman Trent Perrotto.
“This includes the importance of configuring systems behind a firewall or virtual private network, and ensuring systems have the latest firmware and other security updates to mitigate the risk of unauthorised access.”
He added, however, that the company would “assess and test the effectiveness” of its current practices.
One independent security researcher played down the threat to those still exposed, but added that the case raised issues that should be addressed.
“The risk is limited because criminals have little incentive to carry out such attacks, and even if they did it should be possible for building managers to notice what is happening and manually override,” said Dr Steven Murdoch, from University College London.
“However, these problems do show the potential for far more dangerous scenarios in the future, as more devices get connected to the internet, whose failure might be harder to recover from.
“And we still need manufacturers to design secure equipment, because even if a device is not directly connected to the internet, there almost certainly is an indirect way in.”