Welcome to today's edition of Secret CISO, where we unravel the intricate web of cybersecurity challenges and triumphs shaping our digital landscape. In this issue, we delve into a series of alarming data breaches, from Copper Steel Fabricators to Delta Dental of Virginia, highlighting the persistent vulnerabilities in safeguarding sensitive information.

As we navigate the complexities of digital identity, experts raise red flags over the eKYC plan's potential for surveillance and data breaches, while Ascendum Machinery's settlement underscores the financial repercussions of security lapses. Meanwhile, the investigation into BOK Financial's breach and the unsettling findings about Google Nest's data practices remind us of the ongoing battle for privacy and data protection.

In the realm of global tech, the decoupling of US and Chinese research signals a seismic shift in innovation dynamics, while the Shai-Hulud 2.0 attack on NPM repositories exemplifies the escalating threats in software supply chains. On a brighter note, Sweed's bug bounty program offers a proactive approach to fortifying cannabis businesses against cyber threats.

Finally, we spotlight critical vulnerabilities, including stack-based and heap-based buffer overflows in MaLion and MaLionCloud, an authentication-bypass in AiCloud, and an XXE flaw in GeoServer. These vulnerabilities serve as stark reminders of the relentless pursuit of security in an ever-evolving threat landscape.

Stay informed, stay secure, and join us as we continue to explore the stories that matter in cybersecurity.

Data Breaches

1. Copper Steel Fabricators Allegedly Subjected to Data Breach: Cooper Steel Fabricators, a prominent U.S. structural steel fabricator with clients like Amazon, has reportedly been breached. The incident raises concerns about the security of sensitive client data and the potential impact on business operations. Source: SC Media.
2. Experts Flag Surveillance, Data Breach Risks in Social Media eKYC Plan: Cybersecurity experts have expressed concerns over a new electronic know-your-customer (eKYC) plan that involves sharing national identity document data with social media platforms. The potential for data breaches and surveillance risks has been highlighted as significant issues. Source: Malaysiakini.
3. Ascendum Machinery $300,000 Data Breach Settlement: Ascendum Machinery has agreed to a $300,000 settlement following a data breach incident. Individuals affected by the breach may be eligible to claim up to $3,000 as part of the class action settlement. Source: Claim Depot.
4. BOK Financial Data Breach Investigation: Strauss Borrelli PLLC is investigating a data breach involving BOK Financial. The breach has raised concerns about the security of financial data and the potential implications for customers. Source: Strauss Borrelli PLLC.
5. Delta Dental of Virginia Under Investigation for Data Breach: Delta Dental of Virginia is under investigation following a data breach that exposed the personal information of 145,900 customers. The breach has prompted concerns about data security and privacy protection measures. Source: Morningstar.

Security Research

1. Survey ranks Georgia among the worst states for package theft; experts offer tips to stay safe: A report by SafeWise highlights Georgia as the eighth-worst state for package theft, with over 7800 incidents daily. The study suggests preventive measures for residents to protect their deliveries. Source: 11Alive.
2. US and Chinese tech research is decoupling—ASPI's Critical Tech Tracker: The report from ASPI's Critical Tech Tracker indicates a growing separation in tech research collaboration between the US and China, driven by US policies addressing national security risks. This decoupling could have significant implications for global tech innovation. Source: The Strategist.
3. How cannabis businesses can go digital while thwarting hackers: Sweed, a retail technology platform, has introduced a "bug bounty" program to enhance security by engaging ethical hackers worldwide. This initiative aims to protect cannabis businesses from cyber threats as they transition to digital operations. Source: MJBizDaily.
4. Shai-Hulud 2.0: Inside The Second Coming, the Most Aggressive NPM Supply Chain Attack of 2025: The Shai-Hulud 2.0 attack represents a significant escalation in supply chain threats, targeting JavaScript repositories with unprecedented aggression. Security researchers are working to mitigate its impact on the developer community. Source: Checkpoint Blog.
5. Google Nest still sends data after remote control cutoff, researcher finds: Security researcher Cody Kociemba discovered that early Nest Learning Thermostats continue to upload sensor data to Google even after remote control is disabled. This finding raises privacy concerns for users of these devices. Source: Fox News.

Top CVEs

1. CVE-2025-62691: Security Point Windows of MaLion and MaLionCloud has a stack-based buffer overflow vulnerability in processing HTTP headers. A remote unauthenticated attacker could exploit this flaw by sending a specially crafted request, potentially leading to arbitrary code execution with SYSTEM privilege. Source.
2. CVE-2025-59366: An authentication-bypass vulnerability in AiCloud can be triggered by an unintended side effect of the Samba functionality. This flaw allows execution of specific functions without proper authorization, posing a significant security risk. More details can be found in the ASUS Security Advisory. Source.
3. CVE-2025-64693: MaLion and MaLionCloud are also affected by a heap-based buffer overflow vulnerability in processing Content-Length. This vulnerability can be exploited by a remote unauthenticated attacker through a specially crafted request, leading to arbitrary code execution with SYSTEM privilege. Source.
4. CVE-2025-62703: Fugue, a framework for distributed computing, has a remote code execution vulnerability due to unsafe deserialization in its RPC server. This flaw allows attackers to execute arbitrary code by sending malicious serialized Python objects to the server. The issue has been patched in a recent update. Source.
5. CVE-2025-58360: GeoServer, an open-source server for geospatial data, has an XML External Entity (XXE) vulnerability in its GetMap operation. This flaw allows attackers to define external entities within XML requests, potentially leading to data exposure. The vulnerability has been patched in recent GeoServer updates. Source.

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the digital landscape is as dynamic as ever. From the alleged data breach at Copper Steel Fabricators to the unsettling findings about Google Nest, the stories we've covered today highlight the ever-present challenges and evolving threats in cybersecurity.

Whether it's the risks associated with social media eKYC plans or the vulnerabilities exposed in popular software, staying informed is crucial. The insights from experts and the latest updates on vulnerabilities remind us of the importance of vigilance and proactive measures in safeguarding our digital assets.

We hope you found today's newsletter both informative and engaging. If you did, please consider sharing it with your friends and colleagues. By spreading the word, you help build a community that's better equipped to tackle the cybersecurity challenges of today and tomorrow.

Thank you for being a part of our journey. Stay safe, stay informed, and we'll see you in the next edition of Secret CISO!