Welcome to today's edition of Secret CISO, where the digital realm's vulnerabilities unfold like a suspenseful thriller. As we dive into the world of cybersecurity, we uncover a series of breaches and vulnerabilities that weave a complex narrative of risk and resilience.

Our journey begins with the unsettling news of data breaches at Partners in Pediatrics and Vietnam Airlines, where sensitive information has slipped through the cracks, leaving individuals and organizations grappling with the aftermath. Meanwhile, the legal battles intensify as Salesloft and AppFolio face a class action lawsuit, and American Express is under scrutiny for systemic security failures.

In a twist of geopolitical intrigue, intelligence officials raise alarms over US researchers' collaborations with China, underscoring the delicate balance between innovation and national security. As we delve deeper, researchers reveal how a small number of training documents can create a backdoor in large language models, highlighting the vulnerabilities in AI systems.

On the technological frontier, the OUI-SPY emerges as a beacon for security researchers, while Apple raises the stakes with a record-breaking bug bounty. Yet, the shadows of vulnerabilities loom large, with critical CVEs exposing weaknesses in systems from Perfex CRM to Windows, each posing unique threats to data integrity and privacy.

Join us as we navigate this intricate web of cybersecurity challenges, where every breach, vulnerability, and innovation tells a story of its own. Stay informed, stay secure, and remember, in the world of cybersecurity, knowledge is your greatest ally.

Data Breaches

1. Partners in Pediatrics Data Breach: Lynch Carpenter is investigating claims related to a data breach at Partners in Pediatrics (PIP). Affected individuals may be entitled to compensation and are encouraged to contact legal representatives for further assistance. Source: GlobeNewswire
2. Vietnam Airlines Customer Data Breach: Vietnam Airlines has experienced a data breach involving a third-party customer service platform. This incident marks the second major breach for the airline, raising concerns about the security of customer data. Source: Tuoi tre news
3. Salesloft and AppFolio Data Breach Class Action: Software companies Salesloft Inc. and AppFolio Inc. are facing a class action lawsuit following a data breach in August. The breach has led to legal proceedings in Georgia federal court. Source: Law360
4. American Express Security Failures: A leaked report has revealed systemic security failures at American Express, exposing sensitive personal information. The privacy watchdog's investigation highlights significant technology security control issues. Source: SMH
5. Canadian Tire Data Breach: Canadian Tire has reported a data breach affecting customer information, including names, emails, and partial credit card details. The breach impacts online shoppers and raises concerns about the security of e-commerce databases. Source: Daily Hive

Security Research

1. Intelligence officials voice alarm over US researchers' collaboration with China: Intelligence officials have raised concerns about US researchers collaborating with China, emphasizing the need for universities to safeguard research from foreign interference. This highlights the ongoing geopolitical tensions and the importance of protecting sensitive research data. Source: Fox News.
2. A Small Number of Training Docs Can Create a LLM Backdoor: Researchers have demonstrated that a small number of training documents can introduce a backdoor into large language models (LLMs), causing denial-of-service errors. This finding underscores the vulnerabilities in AI training processes and the need for robust security measures. Source: Bank Info Security.
3. Security bug exposed India's taxpayer data: A significant security flaw in India's income tax portal was discovered, potentially exposing sensitive personal data. This incident highlights the critical need for robust cybersecurity measures in government systems to protect citizens' data. Source: CDP Institute.
4. Oui Spy, Now and beyond: The OUI-SPY is a new portable Bluetooth Low Energy (BLE) detection technology that offers enhanced capabilities for security researchers and enthusiasts. This innovation represents a significant advancement in BLE detection and security research. Source: Hackster.io.
5. Apple boosts top bug bounty to record $2m: Apple has expanded its security bounty program, increasing the maximum reward to $2 million. This move aims to encourage more security researchers to identify vulnerabilities, thereby enhancing the security of Apple's products. Source: The Stack.

Top CVEs

1. CVE-2025-60374: Stored Cross-Site Scripting (XSS) in Perfex CRM chatbot before version 3.3.1 allows attackers to inject arbitrary HTML/JavaScript. This vulnerability can lead to client-side code execution, session token theft, and other malicious actions when users view the chat. Source: Vulners.
2. CVE-2025-0033: Improper access control within AMD SEV-SNP could allow an admin privileged attacker to write to the RMP during SNP initialization, potentially compromising SEV-SNP guest memory. Source: Vulners.
3. CVE-2025-59294: Exposure of sensitive information in Windows Taskbar Live allows unauthorized attackers to disclose information with physical access. This vulnerability poses a risk of sensitive data exposure. Source: Vulners.
4. CVE-2025-59230: Improper access control in Windows Remote Access Connection Manager allows authorized attackers to elevate privileges. This can lead to unauthorized access and potential system compromise. Source: Vulners.
5. CVE-2025-59211: Exposure of sensitive information in Windows Push Notification Core allows authorized attackers to disclose information. This vulnerability could lead to unauthorized data access. Source: Vulners.

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the digital landscape continues to evolve with both challenges and innovations. From data breaches affecting major corporations like Partners in Pediatrics and Vietnam Airlines to groundbreaking advancements in security technology such as the OUI-SPY, the need for vigilance and proactive measures in cybersecurity has never been more crucial.

We've also seen how geopolitical tensions can impact research collaborations and the importance of safeguarding sensitive data against foreign interference. Meanwhile, vulnerabilities in AI training processes and government systems remind us of the ongoing need for robust security protocols.

In the realm of vulnerabilities, the recent CVEs highlight the persistent threats that require our attention and action. Whether it's stored XSS in Perfex CRM or improper access control in Windows systems, staying informed and prepared is key to mitigating risks.

We hope you found today's insights valuable and encourage you to share this newsletter with friends and colleagues who are equally passionate about cybersecurity. Together, we can build a more secure digital world. Until next time, stay safe and stay informed!