Welcome to today's edition of Secret CISO, where we unravel the tangled web of cybersecurity breaches and vulnerabilities that are reshaping the digital landscape. In a world where data is the new gold, today's stories reveal the unsettling truth about the fragility of our digital fortresses.

We begin with Conduent Business Services, where a data breach has compromised millions of healthcare-related records, raising alarms about the security of sensitive information. Meanwhile, the U.S. government suspects Chinese involvement in a breach of the FBI's surveillance network, highlighting the persistent threat of nation-state cyberattacks.

LexisNexis faces its second data breach in two years, exposing vulnerabilities in data management systems, while Coupang's significant breach has shaken customer trust and financial stability. EP Wealth Advisors also grapples with a breach compromising Social Security Numbers, prompting legal scrutiny.

In the realm of technology, DJI rewards a researcher for uncovering a flaw in their robot vacuums, emphasizing the importance of bug bounty programs. Meanwhile, the discovery of the iOS exploit kit Coruna raises concerns about the misuse of government-developed hacking tools.

OpenAI's launch of Codex Security intensifies the AI cybersecurity race, as hackers allegedly use AI platforms to breach the Mexican government. In Israel, spyware disguised as an emergency-alert app infiltrates smartphones, underscoring the need for vigilance against malicious apps.

Finally, we delve into critical vulnerabilities, including CVE-2026-23925 in Zabbix, CVE-2024-35644 in Pascal Birchler's plugin, and CVE-2026-29062 in the jackson-core library, each highlighting the ongoing battle to secure our digital environments against exploitation.

Stay informed and stay secure with Secret CISO, your daily guide to navigating the complex world of cybersecurity threats and defenses.

Data Breaches

1. Conduent Business Services Data Breach Impacts Millions: Conduent, a company providing printing and mailing services, experienced a data breach affecting millions of individuals. The breach involved data from healthcare-related services, raising concerns about the security of sensitive information. The company is currently addressing the issue and working to mitigate the impact. Source: WGAL
2. US Suspects China in Breach of FBI Surveillance Network: The U.S. government suspects Chinese involvement in a breach of the FBI's surveillance network. This sophisticated attack has prompted a collaborative investigation involving the White House, NSA, and CISA to assess the extent of the breach and bolster defenses. The incident underscores the ongoing cyber threats from nation-state actors. Source: Reuters
3. LexisNexis Hit by Second Data Breach in Two Years: LexisNexis, a major data provider, suffered its second data breach in two years, compromising sensitive records of law firms, federal regulators, and corporate clients. The breach highlights vulnerabilities in data management systems and the need for enhanced cybersecurity measures. The company is investigating the breach and working to prevent future incidents. Source: American Banker
4. Coupang Major Customer Data Breach: Coupang, a prominent e-commerce platform, experienced a significant data breach affecting tens of millions of users. The breach has led to weakened customer trends and financial losses for the company. Coupang is taking steps to improve its security infrastructure and restore customer trust. Source: Simply Wall St
5. EP Wealth Advisors Data Breach Compromises SSNs: EP Wealth Advisors reported a data breach that compromised sensitive information, including Social Security Numbers. The breach has prompted legal investigations and potential class action lawsuits. The firm is working to address the breach and enhance its data protection measures. Source: Class Action

Security Research

1. DJI Pays $30K for Accidental Hack Exposing 7000 Robot Vacuums: A security researcher was rewarded $30,000 by DJI after accidentally discovering a network flaw in their Romo robovacs, which exposed 7,000 devices to potential hacking. This incident highlights the importance of responsible disclosure and the role of bug bounty programs in improving product security. Source: The Verge, The Tech Buzz
2. iOS Exploit Kit Coruna May Have Begun Life as iPhone Hacking Tools: Security researchers have identified an iOS exploit kit named Coruna, which may have originated as a set of iPhone hacking tools used by the US government. This revelation raises concerns about the potential misuse of government-developed cyber tools in the wild. Source: PC Gamer
3. OpenAI Launches Codex Security to Compete with Anthropic: OpenAI has introduced Codex Security, an AI-powered application security agent designed to detect and patch vulnerabilities. This move intensifies the competition with Anthropic, as both companies leverage AI to enhance cybersecurity measures. Source: Phemex News, Bitcoin News
4. Hackers Allegedly Used AI Platforms to Breach Mexican Government: Security researchers have reported that hackers exploited AI platforms to breach the Mexican government, highlighting the growing threat of AI-assisted cyberattacks. This incident underscores the need for robust cybersecurity measures to defend against sophisticated AI-driven threats. Source: Mexico Business News
5. Spyware Disguised as Emergency-Alert App Sent to Israeli Smartphones: A spyware campaign disguised as an emergency-alert app has targeted Israeli smartphones, raising concerns about the potential scale and success of the infections. This incident emphasizes the importance of vigilance and security measures to protect against malicious apps. Source: The Register

Top CVEs

1. CVE-2026-23925: An authenticated Zabbix user with template/host write permissions can exploit the configuration.import API to create unauthorized hosts, leading to potential confidentiality loss. This vulnerability highlights the risks associated with improper permission management in monitoring systems. Source: Vulners.
2. CVE-2024-35644: A DOM-Based Cross-site Scripting (XSS) vulnerability in Pascal Birchler's Preferred Languages plugin allows improper neutralization of input during web page generation. This flaw affects versions up to 2.2.2, posing a risk of malicious script execution. Source: Vulners.
3. CVE-2026-29062: The jackson-core library, used by Jackson Data Processor, contains a flaw in its JSON parsing that bypasses the maxNestingDepth constraint, potentially leading to a StackOverflowError and Denial of Service (DoS). This issue has been addressed in version 3.1.0. Source: Vulners.
4. CVE-2026-27142: Actions inserting URLs into HTML meta tags without escaping can lead to XSS if combined with an http-equiv attribute set to "refresh". A new GODEBUG setting has been introduced to mitigate this risk. Source: Vulners.
5. CVE-2026-27139: On Unix platforms, File.ReadDir or File.Readdir can return FileInfo referencing files outside the intended directory, allowing metadata access from arbitrary filesystem locations. This vulnerability underscores the importance of strict directory traversal controls. Source: Vulners.

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the digital landscape is as dynamic as ever. From the massive data breaches affecting companies like Conduent and LexisNexis to the sophisticated cyber threats involving nation-state actors and AI-assisted attacks, the need for robust cybersecurity measures has never been more pressing.

We've also seen the positive impact of responsible disclosure and bug bounty programs, as demonstrated by DJI's proactive response to a security flaw. Meanwhile, the competition between AI giants like OpenAI and Anthropic is driving innovation in cybersecurity solutions, offering new tools to combat emerging threats.

As we navigate these challenges, it's crucial to stay informed and vigilant. Sharing knowledge is a powerful tool in our collective defense against cyber threats. If you found today's insights valuable, please consider sharing this newsletter with your friends and colleagues. Together, we can build a more secure digital world.

Thank you for joining us today. Stay safe, stay secure, and see you in the next edition of Secret CISO!