Welcome to today's edition of Secret CISO, where we unravel the intricate web of cybersecurity incidents and vulnerabilities that are shaping the digital landscape. In this issue, we delve into a series of alarming data breaches and critical vulnerabilities that have sent shockwaves through various sectors.

We begin with the retail giant Harrods, which has confirmed a major data breach affecting 430,000 customers, raising serious questions about data protection measures. Meanwhile, a union faces legal action after a breach exposed the personal information of 55,000 members, highlighting the legal ramifications of inadequate data security.

In the healthcare sector, a swift email phishing attack compromised the personal health information of 150,000 individuals, underscoring the persistent threat of phishing schemes. Similarly, Harbor, a mental health services provider, is grappling with a data breach, prompting urgent investigations to assess the damage.

On the technological front, Tenable has uncovered vulnerabilities in Google's Gemini AI, revealing the potential for data theft on a massive scale. This discovery serves as a stark reminder of the risks associated with AI systems. Additionally, security researchers have identified a vulnerability in router APIs, exploited to send SMS spam, further emphasizing the need for robust network security.

In response to these threats, Broadcom has patched critical VMware vulnerabilities, and organizations are urged to address a critical flaw in GoAnywhere MFT to safeguard their data. Meanwhile, the launch of zeroday.cloud by Wiz Research aims to tackle emerging threats in cloud and AI technologies through collaborative efforts.

Finally, we spotlight critical vulnerabilities affecting various platforms, including the Telenium Online Web Application, WordPress plugins, and command-line tools, each posing significant risks if left unaddressed.

Stay informed and vigilant as we navigate these challenging times in cybersecurity. Dive into today's stories for a deeper understanding of the threats and solutions shaping our digital world.

Data Breaches

1. Harrods Confirms Major Data Breach Affecting 430,000 Customers' Personal Information: U.K retail giant Harrods experienced a significant data security incident that compromised the sensitive personal details of 430,000 customers. The breach has raised concerns about the security measures in place to protect customer data. Harrods is currently investigating the breach and working to mitigate any potential damage. Source: Teiss.
2. Union Sued Over Data Breach Exposing 55K Members' Info: A union is facing a lawsuit after a data breach exposed the personal information of over 55,000 members, including names and Social Security numbers. The breach has led to increased scrutiny over the union's data protection practices and potential legal ramifications. The affected individuals are seeking compensation for the breach of their personal data. Source: Law360.
3. Hour-Long Email Phishing Breach Affects PHI of 150,000: A brief email phishing attack compromised the personal health information (PHI) of 150,000 individuals. The organization's security team quickly secured the compromised email account, preventing further damage. An investigation is underway to assess the full impact of the breach and enhance security measures. Source: BankInfoSecurity.
4. Harbor, Toledo-based Mental Health Services, Investigating Data Breach: Harbor, a mental health services organization in Toledo, is investigating a data breach that may have compromised sensitive information. The breach has prompted the organization to notify patients, employees, and board members about the potential exposure of their data. Efforts are being made to understand the breach's scope and prevent future incidents. Source: WTOL.
5. Superior Vision Services, Inc. Data Breach Alert Issued By Wolf Haldenstein: Superior Vision Services, Inc. has issued a data breach alert following a security incident. The breach has raised concerns about the protection of sensitive customer information and the company's response to the incident. Affected individuals are encouraged to stay vigilant and monitor their accounts for any unusual activity. Source: GlobeNewswire.

Security Research

1. Tenable Exposes AI Flaws in Google Gemini: Tenable researchers have identified vulnerabilities in Google's Gemini AI that could have allowed hackers to steal data from millions of users. These flaws highlight the potential risks of AI systems when inputs are manipulated by attackers. Source.
2. Risky Bulletin: Router APIs Abused to Send SMS Spam Waves: Security researchers have discovered that attackers are exploiting a vulnerability in router APIs to send waves of SMS spam. This vulnerability, identified in 2023, underscores the ongoing risks associated with unsecured network devices. Source.
3. Broadcom Fixes Three High-Severity VMware Bugs: Broadcom has addressed three critical vulnerabilities in VMware products, which could have been exploited for unauthorized access and data breaches. These patches are crucial for maintaining the security of enterprise environments using VMware solutions. Source.
4. Introducing zeroday.cloud: Cloud and AI Hacking Event: Wiz Research has launched zeroday.cloud, an event focused on uncovering emerging threats in cloud and AI technologies. This initiative aims to foster collaboration among security researchers to address new vulnerabilities in these rapidly evolving fields. Source.
5. Critical Vulnerability Alert: CVE-2025-10035 in GoAnywhere MFT: A critical vulnerability has been identified in GoAnywhere MFT, posing significant risks to data security. Organizations using this file transfer solution are urged to apply patches promptly to mitigate potential exploitation. Source.

Top CVEs

1. CVE-2025-10659: The Telenium Online Web Application has a critical vulnerability due to a PHP endpoint that improperly handles user-supplied input. This flaw allows unauthenticated attackers to inject arbitrary operating system commands through a crafted HTTP request, leading to remote code execution on the server. The issue arises from insecure termination of a regular expression check, making it a significant threat to affected systems. Source: Vulners.
2. CVE-2025-9762: The Post By Email plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the save_attachments function. This vulnerability affects all versions up to, and including, 1.0.4b, allowing unauthenticated attackers to upload arbitrary files to the server. This can potentially lead to remote code execution, posing a severe risk to WordPress sites using this plugin. Source: Vulners.
3. CVE-2025-11148: The package check-branches, a command-line tool for confirming no conflicts exist in git branches, is vulnerable to command injection. The vulnerability arises because the tool trusts branch names as plain text and concatenates user input to spawn git commands. This can be exploited by users with access to create branches, allowing them to run arbitrary commands, posing a significant security risk. Source: Vulners.

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the digital landscape is fraught with challenges and opportunities. From the major data breaches affecting thousands of individuals to the vulnerabilities in AI and network devices, the need for robust security measures has never been more pressing. Each story we shared today underscores the importance of vigilance and proactive defense strategies in safeguarding personal and organizational data.

In a world where cyber threats are constantly evolving, staying informed is your best defense. Whether it's understanding the implications of a data breach or recognizing the potential risks of AI systems, knowledge is power. We hope today's insights have equipped you with valuable information to navigate these challenges effectively.

If you found this newsletter insightful, please consider sharing it with your friends and colleagues. By spreading awareness, we can collectively enhance our defenses and foster a more secure digital environment for everyone. Together, let's stay ahead of the curve and continue to protect what matters most.

Thank you for being a part of the Secret CISO community. Until next time, stay safe and secure!