Welcome to today's edition of Secret CISO, where we unravel the tangled web of cybersecurity incidents and innovations. In this issue, we delve into a series of alarming data breaches that have rocked various sectors, from healthcare to automotive, highlighting the persistent vulnerabilities in corporate data security. Cempa Community Care and CarGurus are among the latest victims, with sensitive information potentially exposed to malicious actors.

Meanwhile, the fintech world is not spared as Figure Technology Solutions grapples with a data breach that has escalated beyond initial containment efforts. In a parallel narrative, a high-profile investment conference in Abu Dhabi faces scrutiny after a breach exposed attendees' personal information, underscoring the risks of large-scale events.

On the corporate front, Adidas is investigating a breach involving a third-party partner, shedding light on the ongoing challenges in supply chain security. As these incidents unfold, the role of AI in enhancing security compliance is gaining traction, with projections indicating significant growth in the market over the next decade.

In a bold move, Texas invests $149 million in Texas Tech University's national security programs, aiming to fortify critical infrastructure against emerging threats. Meanwhile, AI-driven research uncovers twelve new vulnerabilities in OpenSSL, showcasing the potential of AI to revolutionize cybersecurity research.

Security researchers continue to face threats, as seen in the case of Allison Nixon, who received death threats from a hacker. Yet, the resilience of these professionals remains unwavering. In the realm of vulnerabilities, we highlight critical flaws affecting Fedora Linux, glibc, QEMU, FFmpeg, and NLTK, each posing unique risks to systems worldwide.

Join us as we navigate these complex narratives, offering insights and strategies to fortify your defenses in an ever-evolving digital landscape.

Data Breaches

1. Cempa Care Community Data Breach Investigation: Strauss Borrelli PLLC is investigating a data breach involving Cempa Community Care, a Chattanooga-based organization. The breach has raised concerns about the potential exposure of sensitive patient information, prompting legal scrutiny. Source: Strauss Borrelli PLLC.
2. ShinyHunters Allegedly Drove Off with 1.7M CarGurus Records: The notorious hacking group ShinyHunters is reported to have stolen 1.7 million records from CarGurus, marking another significant data breach in the automotive sector. This incident highlights ongoing vulnerabilities in corporate data security. Source: The Register.
3. Figure Breach Enters New Phase After Data Leak Claims: Fintech lender Figure Technology Solutions is dealing with a data breach that has escalated beyond initial containment efforts. Reports suggest that sensitive data has been leaked, raising concerns about the company's data protection measures. Source: Security Boulevard.
4. Data Breach at Abu Dhabi Investment Conference Exposes Attendees' Information: A data breach at a high-profile investment conference in Abu Dhabi has exposed the personal information of attendees, including passport and identification documents. This incident underscores the risks associated with large-scale events. Source: Binance.
5. Adidas Investigates Third-Party Data Breach: Adidas is investigating a data breach involving one of its third-party partners, where digital thieves allegedly stole sensitive information. This breach follows a similar incident last year, highlighting ongoing challenges in supply chain security. Source: LinkedIn.

Security Research

1. AI for Security Compliance Market Size, Share and Trends 2026 to 2035: This research by Precedence Research Pvt. Ltd. explores the growing market for AI in security compliance, projecting significant growth and trends over the next decade. The study highlights the increasing reliance on AI technologies to enhance security measures and compliance protocols. Source: Precedence Research.
2. Hackers Made Death Threats Against This Security Researcher. Big Mistake.: Security researcher Allison Nixon faced online death threats from a hacker using the aliases "Waifu" and "Judische." The situation underscores the risks faced by cybersecurity professionals and the potential consequences for those who target them. Source: LinkedIn.
3. Gov. Abbott Announces $149 Million Investment in Texas Tech National Security Programs: Texas is investing heavily in Texas Tech University to bolster its EMP testing and cybersecurity research. This initiative aims to protect critical infrastructure and enhance national security capabilities. Source: KCEN TV.
4. AI Found Twelve New Vulnerabilities in OpenSSL: An AI-driven research team has identified twelve new vulnerabilities in OpenSSL, marking a significant achievement in cybersecurity research. These findings highlight the potential of AI to uncover critical security flaws that might otherwise go unnoticed. Source: Schneier on Security.
5. Critical Grandstream VoIP Bug Highlights SMB Security Blind Spot: A security researcher at Rapid7 discovered a critical vulnerability (CVE-2026-2329) in Grandstream VoIP systems. This flaw allows call interception and poses a significant risk to small and medium-sized businesses. Source: Dark Reading.

Top CVEs

1. CVE-2025-1272: The Linux Kernel lockdown mode for kernel versions starting on 6.12 and above for Fedora Linux has the lockdown mode disabled without any warning. This may allow an attacker to gain access to sensitive information such as kernel memory mappings, I/O ports, BPF, and kprobes. Additionally, unsigned modules can be loaded, leading to the execution of untrusted code, breaking any Secure Boot protection. This vulnerability affects only Fedora Linux. Source: Vulners
2. CVE-2025-0577: An insufficient entropy vulnerability was found in glibc. The getrandom and arc4random family of functions may return predictable randomness if these functions are called again after the fork, which happens concurrently with a call to any of these functions. Source: Vulners
3. CVE-2025-8860: A flaw was found in QEMU in the uefi-vars virtual device. When the guest writes to register UEFIVARSREGBUFFERSIZE, the .write callback uefivarswrite is invoked. The function allocates a heap buffer without zeroing the memory, leaving the buffer filled with residual data from prior allocations. When the guest later reads from register UEFIVARSREGPIOBUFFERTRANSFER, the .read callback uefivarsread returns leftover metadata or other sensitive process memory from the previously allocated buffer, leading to an information disclosure vulnerability. Source: Vulners
4. CVE-2025-10256: A NULL pointer dereference vulnerability exists in FFmpeg’s Firequalizer filter libavfilter/affirequalizer.c due to a missing check on the return value of avmallocarray in the configinput function. An attacker could exploit this by tricking a victim into processing a crafted media file with the Firequalizer filter enabled, causing the application to dereference a NULL pointer and crash, leading to denial of service. Source: Vulners
5. CVE-2025-14009: A critical vulnerability exists in the NLTK downloader component of nltk/nltk, affecting all versions. The unzipiter function in nltk/downloader.py uses zipfile.extractall without performing path validation or security checks. This allows attackers to craft malicious zip packages that, when downloaded and extracted by NLTK, can execute arbitrary code. The vulnerability arises because NLTK assumes all downloaded packages are trusted and extracts them without validation. If a malicious package contains Python files, such as init.py, these files are executed automatically upon import, leading to remote code execution. This issue can result in full system compromise, including file system access, network access, and potential persistence mechanisms. Source: Vulners

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the digital landscape is as dynamic as ever, with new challenges and innovations emerging daily. From the ongoing investigations into data breaches at Cempa Community Care and CarGurus to the groundbreaking use of AI in uncovering vulnerabilities in OpenSSL, the cybersecurity world is constantly evolving.

We also explored the critical vulnerabilities affecting various systems, such as the Linux Kernel and QEMU, highlighting the importance of staying vigilant and informed. Meanwhile, the significant investment in Texas Tech's national security programs and the rise of AI in security compliance underscore the proactive steps being taken to fortify our defenses.

In a world where cybersecurity threats are ever-present, sharing knowledge is key. If you found today's insights valuable, please consider sharing this newsletter with your friends and colleagues. Together, we can build a more informed and resilient community, ready to tackle the challenges of tomorrow.

Thank you for being a part of Secret CISO. Stay safe, stay informed, and see you in the next edition!