Welcome to today's edition of Secret CISO, where we unravel the intricate web of cybersecurity challenges and breakthroughs. In this issue, we delve into a series of alarming data breaches and insider threats that have shaken institutions and industries alike.

First, the University of Pennsylvania finds itself embroiled in a class action lawsuit following a data breach that has exposed decades-old personal information, raising questions about the institution's data security practices. Meanwhile, in a shocking twist, three cybersecurity professionals stand accused of orchestrating a cybercrime operation, casting a shadow over the integrity of the industry.

As we navigate these turbulent waters, the Thayer Hotel at West Point and the City of Ottawa grapple with their own data breaches, prompting legal investigations and security reviews. The narrative takes a geopolitical turn with a third-party contractor to US telecoms revealing a breach tied to nation-state hackers, underscoring the persistent threat of state-sponsored cyber activities.

In parallel, Florida's investment in space growth, led by FIU's governance and security research, aims to fortify national security and cybersecurity frameworks. Across the border, a former Hydro-Québec researcher defends against espionage charges, highlighting the complexities of international security.

On the technological front, we explore the potential dangers of self-reproducing AI, vulnerabilities in GitHub Actions, and the stealth tactics of pro-Russian hackers using Linux VMs. Finally, we dissect critical vulnerabilities, including a Redis stack buffer overflow and authentication flaws in Radiometrics VizAir, that pose significant risks to systems worldwide.

Join us as we connect these threads into a cohesive narrative, offering insights and strategies to navigate the ever-evolving cybersecurity landscape.

Data Breaches

1. UPenn Hit With Class Action Lawsuit Days After Personal Data Breach: The University of Pennsylvania is facing a class action lawsuit following a significant data breach that exposed personal information dating back to the 1970s. The breach has sparked concerns about the university's data security practices and the extent of the compromised information. Source: Law.com
2. US Prosecutors Say Cybersecurity Pros Ran Cybercrime Operation: In a surprising turn of events, three American cybersecurity professionals have been accused of running a cybercrime operation. This revelation has raised questions about the integrity of cybersecurity experts and the potential for insider threats within the industry. Source: Business Insurance
3. Thayer Hotel at West Point Data Breach Claims Investigated by Lynch Carpenter: The Thayer Hotel at West Point has experienced a data breach involving sensitive information, including Social Security numbers. Legal investigations are underway to determine the extent of the breach and potential compensation for affected individuals. Source: GlobeNewswire
4. City of Ottawa Says Data Breach Affected Some My ServiceOttawa Users: A data breach in Ottawa has impacted 2,454 residents, compromising their My ServiceOttawa accounts. The breach involved unauthorized access to personal information, prompting the city to review its security measures. Source: CTV News
5. Third-Party Contractor to US Telecoms Reveals Security Breach Tied to Nation-State Hackers: A third-party contractor working with US telecom companies has disclosed a security breach linked to nation-state hackers. This incident highlights the vulnerabilities in supply chain security and the ongoing threat posed by state-sponsored cyber activities. Source: CPO Magazine

Security Research

1. Florida backs space growth as FIU leads governance and security research: Florida is investing in space growth, with Florida International University (FIU) at the forefront of governance and security research. This initiative aims to bolster public policy, national security, and cybersecurity, positioning FIU as a leader in these fields. Source: Space Daily.
2. Ex-Hydro-Québec researcher, accused of spying for China, defends reputation at trial: A former Hydro-Québec researcher is on trial for alleged economic espionage for China. The 38-year-old has pleaded not guilty under Canada's Security of Information Act, highlighting the complexities of international security and espionage cases. Source: Global News.
3. The upsurge and threats of self-reproducing AI: SecurityBrief Australia discusses the potential risks posed by self-reproducing AI systems. The article emphasizes the need for security researchers and regulatory bodies to establish safety standards to mitigate these threats. Source: SecurityBrief Australia.
4. Researching and Remediating RCEs via GitHub Actions: Security researchers Bar Kaduri and Roi Nisimi explore the vulnerabilities in GitHub Actions that could lead to remote code execution (RCE). Their work highlights the importance of analyzing large datasets to enhance public cloud security. Source: SC World.
5. Pro-Russian Hackers Use Linux VMs to Hide in Windows: Bitdefender's Victor Vrabie reports on a campaign where pro-Russian hackers use Linux virtual machines to conceal their activities on Windows systems. This tactic complicates detection and underscores the evolving nature of cyber threats. Source: Dark Reading.

Top CVEs

1. CVE-2025-62507: Redis, an open-source in-memory database, has a vulnerability in versions 8.2.0 and above where the XACKDEL command can trigger a stack buffer overflow, potentially leading to remote code execution. This issue is resolved in version 8.2.3, and a workaround involves restricting the XACKDEL operation using ACL. Source: Vulners.
2. CVE-2025-61956: Radiometrics VizAir lacks authentication mechanisms for critical functions, allowing attackers to modify configurations without authentication. This could lead to manipulated runway settings and meteorological data, misleading air traffic control and pilots. Source: Vulners.
3. CVE-2025-64110: Cursor, a code editor for AI programming, has a logic bug in versions 1.7.23 and below that allows malicious agents to read sensitive files. This vulnerability can be exploited by creating a new cursorignore file, invalidating existing configurations. The issue is fixed in later versions. Source: Vulners.

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the world of cybersecurity is as dynamic as ever. From the halls of academia at UPenn to the corridors of power in Ottawa, the stories we've covered today highlight the ever-present challenges and evolving threats in our digital landscape.

We've seen how trusted professionals can sometimes be at the heart of cybercrime, reminding us of the importance of vigilance and integrity in our field. Meanwhile, the ongoing battle against nation-state hackers and the vulnerabilities in our supply chains underscore the need for robust security measures and international cooperation.

As Florida invests in space governance and security, and researchers tackle the complexities of AI and remote code execution, it's evident that innovation and research are key to staying ahead of the curve. The vulnerabilities we've discussed, from Redis to Radiometrics VizAir, serve as a stark reminder of the importance of keeping our systems updated and secure.

We hope you found today's insights valuable and thought-provoking. If you did, please consider sharing this newsletter with your friends and colleagues. Together, we can foster a community that is informed, prepared, and resilient in the face of cyber threats.

Until next time, stay secure and vigilant!