Welcome to today's edition of Secret CISO, where the digital landscape's vulnerabilities unfold like a suspenseful thriller. In a world where data breaches are becoming alarmingly routine, today's stories reveal the intricate web of security challenges that organizations across the globe are grappling with.

Freedom Mobile's recent data breach has sent shockwaves through Canada, exposing the fragility of customer data protection. Meanwhile, Coupang's massive breach in South Korea is not just a tale of compromised data but a catalyst for change, urging stronger security laws to protect small businesses.

In the United States, Marquis Software Solutions' breach has left over 74 banks and credit unions on edge, while 700Credit's exposure of consumer Social Security numbers underscores the persistent vulnerabilities in the credit reporting industry. Across the Atlantic, French retail giant Leroy Merlin's breach highlights the retail sector's ongoing battle with cybersecurity.

As institutions like Purdue University and Oak Ridge National Laboratory join forces to bolster national security research, the urgency for robust cybersecurity measures is echoed in the discovery of critical vulnerabilities. From Fortinet FortiWeb's underestimated flaws to the imminent exploitation of a severe React bug, the call for immediate action is clear.

In the realm of IoT, Kohler's smart toilet camera's misleading encryption claims remind us of the importance of transparency and trust in technology. Meanwhile, vulnerabilities like those found in WordPress King Addons and TOTOLINK routers serve as stark reminders of the ever-present threats lurking in our digital environments.

Join us as we delve into these stories and more, unraveling the complex narrative of cybersecurity in today's interconnected world. Stay informed, stay secure.

Data Breaches

1. Freedom Mobile discloses data breach exposing customer data: Freedom Mobile, Canada's fourth-largest wireless carrier, has revealed a data breach where attackers accessed customer account information. This incident has raised concerns about the security measures in place to protect sensitive customer data. Source: Bleeping Computer
2. Coupang's massive data breach sparks growing strain on small businesses: The recent data breach at Coupang, a major South Korean e-commerce company, has not only affected individual users but is also causing significant challenges for small businesses reliant on the platform. The breach has intensified discussions around the need for stronger information security laws in South Korea. Source: Yonhap News
3. Marquis data breach impacts over 74 US banks, credit unions: Marquis Software Solutions, a financial software provider, has suffered a data breach affecting numerous banks and credit unions across the United States. The breach has raised alarms about the security of financial data and the potential implications for affected institutions. Source: Bleeping Computer
4. 700Credit suffers data breach exposing consumer SSNs: 700Credit, a credit reporting and compliance solutions provider, reported a data breach that exposed consumer names, addresses, and Social Security numbers. This breach highlights the ongoing vulnerabilities in the credit reporting industry and the need for enhanced data protection measures. Source: Dealership Guy
5. French DIY retail giant Leroy Merlin discloses a data breach: Leroy Merlin, a leading DIY retailer in France, has informed customers of a data breach that compromised their personal information. The incident underscores the importance of robust cybersecurity practices in the retail sector to safeguard customer data. Source: Bleeping Computer

Security Research

1. Purdue, ORNL Sign MOU for National Security Research: Purdue University and Oak Ridge National Laboratory (ORNL) have signed a Memorandum of Understanding (MOU) to collaborate on national security research. This partnership aims to leverage the strengths of both institutions to address pressing security challenges. The collaboration is expected to enhance research capabilities and foster innovation in national security. Source: Mirage News.
2. Impact of Actively Exploited Fortinet FortiWeb Flaws More Extensive Than Thought: Recent research by Rapid7 has revealed that the impact of vulnerabilities in Fortinet FortiWeb is more extensive than initially believed. Although in-the-wild exploitation has not been observed yet, the flaws present significant security risks. Organizations using FortiWeb are advised to apply patches promptly to mitigate potential threats. Source: SC Media.
3. WordPress King Addons Flaw Under Active Attack Lets Hackers Make Admin Accounts: A critical flaw in the WordPress King Addons plugin is being actively exploited, allowing attackers to create admin accounts. Discovered by security researcher Peter Thaleikis, this vulnerability affects over 10,000 active installations. Users are urged to update the plugin to the latest version to protect their sites from unauthorized access. Source: The Hacker News.
4. Exploitation is Imminent of Max-Severity React Bug: Security researchers have identified a severe vulnerability in React that is easy to exploit, with mass exploitation deemed imminent. The flaw allows attackers to execute arbitrary code, posing a significant threat to applications using React. Developers are advised to implement patches immediately to safeguard their systems. Source: The Register.
5. End-to-End Encrypted Smart Toilet Camera is Not Actually End-to-End Encrypted: Security researcher Simon Fondrie-Teitler has exposed that Kohler's smart toilet camera, marketed as end-to-end encrypted, does not provide true privacy. The analysis reveals that Kohler can access customer data, raising concerns about data security and privacy. Consumers are advised to be cautious about the privacy claims of IoT devices. Source: TechCrunch.

Top CVEs

1. CVE-2025-55182: A critical pre-authentication remote code execution vulnerability has been identified in React Server Components versions 19.0.0 to 19.2.0. The flaw arises from unsafe deserialization of payloads from HTTP requests, potentially allowing attackers to execute arbitrary code on the server. This vulnerability affects several packages, including react-server-dom-parcel and react-server-dom-webpack. Source: Vulners.
2. CVE-2025-13086: OpenVPN versions 2.6.0 through 2.7rc1 suffer from improper validation of source IP addresses, enabling attackers to hijack sessions by opening connections from different IP addresses. This vulnerability can lead to denial of service for the original client, posing significant security risks for users relying on OpenVPN for secure communications. Source: Vulners.
3. CVE-2025-57199: An authenticated command injection vulnerability has been discovered in AVTECH SECURITY Corporation's DGM1104 devices. The flaw resides in the NetFailDetectD binary, allowing attackers to execute arbitrary commands through crafted inputs. This vulnerability poses a severe risk to the security of affected devices. Source: Vulners.
4. CVE-2025-65027: RomM ROM Manager contains multiple unrestricted file upload vulnerabilities, allowing authenticated users to upload malicious SVG or HTML files. These files can execute embedded JavaScript, leading to stored Cross-Site Scripting (XSS) attacks. Combined with a CSRF misconfiguration, attackers can achieve full administrative account takeover. The issue is resolved in versions 4.4.1 and 4.4.1-beta.2. Source: Vulners.
5. CVE-2025-34319: TOTOLINK N300RT wireless router firmware versions prior to V3.4.0-B20250430 are vulnerable to OS command injection via the Boa formWsc handling functionality. An unauthenticated attacker can exploit this flaw by sending specially crafted requests, leading to command execution on the device. Source: Vulners.

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the digital landscape is fraught with challenges and opportunities. From data breaches affecting major corporations like Freedom Mobile and Coupang to vulnerabilities in widely used platforms such as WordPress and React, the need for robust cybersecurity measures has never been more pressing.

We also see promising collaborations, like the one between Purdue University and Oak Ridge National Laboratory, aiming to bolster national security research. These partnerships highlight the importance of collective efforts in tackling the complex security issues we face today.

As you navigate these stories, remember that staying informed is your first line of defense. We encourage you to share this newsletter with friends and colleagues who might benefit from these insights. Together, we can foster a more secure digital environment for everyone.

Thank you for being a part of our community. Until next time, stay vigilant and keep your data safe!