Welcome to today's edition of Secret CISO, where we unravel the intricate web of cybersecurity breaches and vulnerabilities that have surfaced across the globe. In a world where data is the new gold, today's stories highlight the relentless pursuit of sensitive information by cyber adversaries.

We begin with the unsettling breach at Somerville House, an elite Brisbane school, where confidential staff notes about students and parents were leaked, raising alarms about privacy in educational institutions. Meanwhile, DoorDash faces the aftermath of a social engineering scam that exposed customer data, prompting a reevaluation of their security protocols.

In the corporate realm, AT&T's extended deadline for data breach claims offers a glimmer of hope for affected customers seeking compensation, while Logitech's massive data breach, albeit without sensitive information exposure, underscores the vulnerabilities in hardware security.

Healthcare is not spared, as St. Anthony Hospital grapples with a breach that potentially exposed critical staff and patient information, highlighting the urgent need for robust data protection in the medical sector.

On the vulnerability front, the 7-Zip RCE flaw (CVE-2025-11001) is actively exploited, urging users to update their software to fend off potential attacks. Meanwhile, the China-linked "WrtHug" operation and PlushDaemon's supply chain attack on a South Korean VPN service reveal the strategic targeting of network infrastructure by nation-state actors.

Phishing attacks evolve with a new kit using BitB pop-ups to mimic browser address bars, while ServiceNow AI agents face manipulation through second-order prompts, raising concerns about AI security.

Finally, we delve into technical vulnerabilities, from 7-Zip's directory traversal flaw to Twonky Server's cryptographic weakness, AudioCodes Fax Server's script management issue, and HAProxy's denial of service vulnerability, each presenting unique challenges in the cybersecurity landscape.

Stay vigilant and informed as we navigate these complex threats together.

Data Breaches

1. Somerville House Data Breach: An elite Brisbane school, Somerville House, is in damage control after a data breach leaked staff notes about students' appearances and behavior, as well as information about parents. The school is actively investigating the breach to mitigate its impact. Source: Courier Mail, ABC News.
2. DoorDash Data Breach: DoorDash has revealed that a data breach occurred due to a social engineering scam targeting an employee. The breach potentially exposed sensitive customer information, prompting the company to enhance its security measures. Source: CNET.
3. AT&T Data Breach Settlement: A judge has extended the deadline for AT&T customers affected by two data breaches to file claims in a $177 million settlement. The breaches have prompted a significant legal response, offering affected customers compensation. Source: ABC10, YouTube, Money.
4. Logitech Data Breach: Logitech confirmed a data breach involving 1.8 terabytes of data, although the company claims no sensitive or customer-related information was exposed. The breach has raised concerns about the security of hardware accessory companies. Source: The Economic Times.
5. St. Anthony Hospital Data Breach: St. Anthony Hospital experienced a data breach potentially exposing staff and patient information, including names, addresses, and Social Security numbers. The hospital is taking steps to address the breach and protect affected individuals. Source: Chicago Sun-Times.

Security Research

1. 7-Zip RCE flaw (CVE-2025-11001) actively exploited in attacks in the wild: A critical remote code execution vulnerability in 7-Zip, identified as CVE-2025-11001, is being actively exploited. Security researchers have observed this flaw being used in real-world attacks, prompting urgent advisories for users to update their software. Source: Security Affairs.
2. China-Linked Operation “WrtHug” Hijacks Thousands of ASUS Routers: A cyber operation linked to China, dubbed "WrtHug," has compromised thousands of ASUS routers. This operation highlights the strategic interest of nation-state groups in targeting network infrastructure to expand their espionage capabilities. Source: Infosecurity Magazine.
3. PlushDaemon Hackers in China Deploy EdgeStepper to Corrupt Software Updates: The PlushDaemon group has executed a supply chain attack, corrupting software updates of a South Korean VPN service. This attack underscores the growing threat of supply chain compromises in the cybersecurity landscape. Source: CyberPress.
4. Sneaky 2FA Phishing Kit Adds BitB Pop-ups Designed to Mimic the Browser Address Bar: A new phishing kit has emerged, using BitB (Browser in the Browser) pop-ups to mimic browser address bars, making it easier for attackers to deceive users into entering sensitive information. This technique highlights the evolving sophistication of phishing attacks. Source: The Hacker News.
5. ServiceNow AI Agents Can Be Tricked Into Acting Against Each Other via Second-Order Prompts: Security researchers have discovered that ServiceNow AI agents can be manipulated through second-order prompts, causing them to act against each other. This vulnerability raises concerns about the security of AI-driven systems and the potential for exploitation. Source: The Hacker News.

Top CVEs

1. 7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability: This vulnerability in 7-Zip allows remote attackers to execute arbitrary code by exploiting symbolic links in ZIP files. Attackers can manipulate ZIP file data to traverse directories and execute code with service account privileges. Source.
2. Twonky Server Cryptographic Flaw: Twonky Server 8.5.2 on Linux and Windows suffers from a cryptographic flaw due to hard-coded keys. Attackers can decrypt administrator passwords using static keys, gaining unauthorized admin-level access to the server. Source.
3. AudioCodes Fax Server Unauthenticated Script Management: AudioCodes Fax Server and Auto-Attendant IVR appliances have a vulnerability that allows unauthenticated attackers to write and execute arbitrary files. This is due to an exposed script-management endpoint that runs with high privileges. Source.
4. HAProxy mjson Denial of Service Vulnerability: An inefficient algorithm complexity in HAProxy's mjson can be exploited by remote attackers to cause a denial of service. This is achieved through specially crafted JSON requests that overload the system. Source.

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the digital landscape is as dynamic as ever, with new challenges and vulnerabilities emerging daily. From the unsettling data breaches at Somerville House and DoorDash to the sophisticated exploits targeting 7-Zip and ASUS routers, the importance of staying informed and vigilant cannot be overstated.

These stories remind us that cybersecurity is not just about technology but also about the people and processes that protect our digital lives. Whether it's a school, a multinational corporation, or a healthcare provider, the ripple effects of a breach can be profound, affecting individuals and communities alike.

As we continue to navigate these complex waters, remember that knowledge is power. By staying informed, we can better protect ourselves and those around us. If you found today's insights valuable, please consider sharing this newsletter with your friends and colleagues. Together, we can build a more secure digital world.

Thank you for being a part of our community. Until next time, stay safe and stay informed!