Welcome to today's edition of Secret CISO, where we unravel the intricate web of cybersecurity breaches and vulnerabilities that have surfaced across various sectors. Our journey begins with a deep dive into the legal world, where Wisner Baum LLP faces scrutiny over a data breach, raising alarms about the security of sensitive client information. This theme of vulnerability continues as 360 Dental PC grapples with a breach exposing the personal data of thousands of patients, underscoring the fragility of healthcare data.

In a dramatic turn, the U.S. Department of Treasury has severed ties with Booz Allen Hamilton following a breach affecting hundreds of thousands of taxpayers, highlighting the severe repercussions of unauthorized data access. Meanwhile, Nike finds itself in the crosshairs of a potential data leak, prompting an urgent investigation into the claims.

As we navigate through the digital landscape, Crunchbase faces a massive breach impacting over 2 million records, while security experts uncover flaws in access systems that could unlock doors at major European firms, emphasizing the critical need for robust physical security measures.

Our exploration takes a futuristic twist with Clawdbot, an AI agent raising concerns over its potential to gain root access, illustrating the risks of AI systems wielding extensive control. The Pwn2Own event further highlights the relentless pursuit of security, rewarding researchers for uncovering zero-day vulnerabilities.

In the realm of advanced threats, APT attacks targeting the Indian government reveal the persistent danger posed by sophisticated cyber adversaries. Meanwhile, some ChatGPT browser extensions are caught red-handed, maliciously collecting user data, serving as a stark reminder of the perils of unverified third-party tools.

Finally, we delve into the world of vulnerabilities, where critical flaws in Microsoft Office, GnuTLS, Apache Hadoop, AssertJ, and AnythingLLM expose systems to potential exploitation. These vulnerabilities remind us of the ever-present need for vigilance and timely updates to safeguard our digital environments.

Join us as we unravel these stories, each a thread in the complex tapestry of cybersecurity challenges facing organizations today.

Data Breaches

1. Wisner Baum Data Breach Investigation: Strauss Borrelli PLLC is investigating a data breach at Wisner Baum LLP. The breach has raised concerns about the security of sensitive information handled by the law firm. The investigation aims to determine the extent of the breach and its impact on clients. Source: Strauss Borrelli PLLC
2. 360 Dental PC Data Breach Exposes SSNs: up to 11,273 Patients Affected: A data breach at 360 Dental PC has exposed personally identifiable information (PII) and protected health information (PHI) of up to 11,273 patients. The compromised data includes patient names and Social Security numbers. The breach highlights the vulnerability of healthcare data to cyber threats. Source: Claim Depot
3. Treasury cuts ties with Booz Allen over tax records breach: The U.S. Department of Treasury has severed its relationship with Booz Allen Hamilton following a data breach that affected approximately 406,000 taxpayers. The breach involved unauthorized access to sensitive tax records, prompting the Treasury to cancel all active contracts with the firm. Source: Federal News Network
4. Nike investigates alleged data breach following leak claims: Nike is investigating claims of a data breach after a cyber attack group alleged it had leaked data associated with the company. The sportswear giant is assessing the situation to determine the validity of the claims and the potential impact on its data security. Source: Marketing-Interactive
5. Crunchbase, Inc. Under Investigation for Data Breach of Over 2 Million Records: Crunchbase is under scrutiny for a data breach that exposed sensitive information of over 2 million individuals. The breach has raised questions about the company's data protection measures and the potential risks to affected users. Source: Class Action Lawyers

Security Research

1. Access System Flaws Enabled Hackers to Unlock Doors at Major European Firms: Security experts at SEC Consult discovered vulnerabilities in access systems that allowed hackers to unlock doors at several major European companies. This flaw highlights the critical need for robust security measures in physical access systems to prevent unauthorized entry. Source: SecurityWeek
2. Clawdbot Is What Happens When AI Gets Root Access: A Security Expert's Take on Silicon Valley's Hottest AI Agent: Clawdbot, an open-source AI assistant, has raised concerns among security experts due to its potential to gain root access and execute commands. This highlights the risks associated with AI systems having extensive control over computing environments. Source: Security Boulevard
3. Pwn2Own: Researchers Earn $1 Million for 76 Zero-Days: At the Pwn2Own event, researchers were awarded $1 million for discovering 76 zero-day vulnerabilities, emphasizing the ongoing need for vigilance in securing connected devices, particularly in the automotive sector. This event underscores the importance of proactive security research in identifying and mitigating potential threats. Source: Trend Micro
4. GOGITTER, GITSHELLPAD, and GOSHELL Analysis: Security researchers at ThreatLabz have identified APT attacks targeting the Indian government using tools like GOGITTER, GITSHELLPAD, and GOSHELL. These findings highlight the persistent threat of advanced persistent threats (APTs) and the need for robust cybersecurity defenses. Source: Zscaler
5. Some ChatGPT Browser Extensions Are Stealing Your Data: Security researcher Natalie Zargarov has revealed that some ChatGPT browser extensions are maliciously collecting user data. This discovery serves as a cautionary tale about the potential risks of using third-party extensions and the importance of verifying their legitimacy. Source: CyberScoop

Top CVEs

1. CVE-2026-21509: Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally. This vulnerability can be exploited to execute arbitrary code, posing a significant risk to systems running affected versions of Microsoft Office. Users are advised to apply the latest security updates to mitigate this risk. Source: Vulners.
2. CVE-2025-9820: A flaw in the GnuTLS library's gnutlspkcs11tokeninit function can cause a stack buffer overflow when processing token labels longer than expected. This vulnerability may lead to application crashes or be exploited for code execution, affecting systems relying on GnuTLS. Users should update to the latest version to prevent potential denial of service or privilege escalation attacks. Source: Vulners.
3. CVE-2025-27821: An out-of-bounds write vulnerability in Apache Hadoop HDFS native client affects versions from 3.2.0 before 3.4.2. This flaw can lead to data corruption or potential code execution. Users are recommended to upgrade to version 3.4.2 to address this issue. Source: Vulners.
4. CVE-2026-24400: AssertJ's XML External Entity (XXE) vulnerability in the toXmlDocumentString method can be exploited to read arbitrary local files, perform Server-Side Request Forgery (SSRF), or cause Denial of Service attacks. Users should upgrade to version 3.27.7 or replace vulnerable methods with safer alternatives to mitigate these risks. Source: Vulners.
5. CVE-2026-24477: AnythingLLM's configuration with Qdrant prior to version 1.10.0 exposes the QdrantApiKey in plain text, allowing unauthorized access to the vector database. This can lead to a complete compromise of the semantic search functionality and leakage of confidential documents. Updating to version 1.10.0 resolves this vulnerability. Source: Vulners.

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the digital landscape is fraught with challenges and opportunities alike. From the investigation into the Wisner Baum data breach to the vulnerabilities exposed in access systems across Europe, each story serves as a reminder of the critical importance of cybersecurity vigilance.

Whether it's the exposure of sensitive patient data at 360 Dental PC or the severing of ties between the U.S. Treasury and Booz Allen Hamilton, these incidents underscore the need for robust data protection measures. Meanwhile, the ongoing investigations at Nike and Crunchbase highlight the ever-present threat of cyber attacks on major corporations.

In the realm of AI, Clawdbot's potential for root access raises important questions about the security of emerging technologies. The Pwn2Own event, with its impressive bounty for zero-day discoveries, further emphasizes the necessity of proactive security research.

As we continue to navigate these complex issues, it's crucial to stay informed and prepared. We encourage you to share this newsletter with friends and colleagues who might benefit from staying updated on the latest cybersecurity developments. Together, we can foster a more secure digital environment for everyone.

Thank you for joining us today. Until next time, stay safe and vigilant!