Welcome to today's edition of the Secret CISO newsletter. We're diving into a series of data breaches and the subsequent legal and financial repercussions for the organizations involved. A 19-year-old college student has pleaded guilty to a data breach that threatened to expose personal data, raising concerns about the security measures in place at educational institutions. Meanwhile, B.C.'s Interior Health Authority is facing a class-action lawsuit over a 2009 data breach, and Pennsylvania-based Chord Specialty Dental Partners is dealing with multiple lawsuits following a 2024 data breach.

WellNow Urgent Care has agreed to a $1.1 million class action lawsuit settlement over a 2023 data breach, highlighting the financial consequences of data breaches for healthcare providers. In regulatory news, the U.S. Federal Trade Commission has finalized an enforcement order requiring web hosting company GoDaddy to bolster its security measures following data breach failures.

Turning to cybersecurity, cybercriminals are exploiting TikTok videos to distribute Vidar and StealC malware. A vulnerability in the API used by Naukri on its Android and iOS apps has exposed recruiter email addresses, and security researchers have tricked GitLab's AI developer assistant into inserting malicious code into a script. Chinese cyber spies are exploiting flaws in Ivanti EPMM to breach EU and US organizations, and a massive public database of user records has been left unprotected online.

On the vulnerability front, we're looking at a range of issues, from privilege escalation in Themewinter Eventin to a weak password recovery mechanism in Gilblas Ngunte Possi PSW Front-end Login & Registration. There's also a reflected cross-site scripting vulnerability in DobryCMS, an access control vulnerability in Grafana OSS, and unrestricted file upload in StoreKeeper B.V. StoreKeeper for WooCommerce.

Finally, we're covering a few more vulnerabilities, including broken access control in StrangeBee TheHive, server-side request forgery in StrangeBee TheHive, an authorization bypass in OpenFGA, another access control vulnerability in Grafana OSS, and an unauthenticated arbitrary file read via absolute path. Stay safe out there, and remember to keep your systems updated to mitigate these risks.

Data Breaches

1. College Student Behind PowerSchool Data Breach: A 19-year-old college student has agreed to plead guilty to a data breach that threatened to expose personal data. The student's actions have raised concerns about the security measures in place at educational institutions. Source: Fairbury Journal News
2. Interior Health Faces Class-Action Lawsuit Over 2009 Data Breach: B.C.'s Interior Health Authority is facing a class-action lawsuit over a data breach in 2009 that allegedly exposed thousands of personal records. The lawsuit highlights the long-term impacts of data breaches on organizations and individuals. Source: Vernon Morning Star
3. Data Breach Lawsuits Surge Against Chord Specialty Dental Partners: Pennsylvania-based Chord Specialty Dental Partners is facing multiple lawsuits after a September 2024 data breach compromised personal information. The case underscores the growing legal repercussions for companies failing to protect customer data. Source: JD Supra
4. $1.1M WellNow Urgent Care Data Breach Class Action Settlement: WellNow Urgent Care has agreed to a $1.1 million class action lawsuit settlement over a 2023 data breach. The settlement highlights the financial consequences of data breaches for healthcare providers. Source: Top Class Actions
5. FTC Finalizes Security Order Against GoDaddy Over Data Breach Failures: The U.S. Federal Trade Commission has finalized an enforcement order requiring web hosting company GoDaddy to bolster its security measures following data breach failures. The order underscores the role of regulatory bodies in enforcing cybersecurity standards. Source: teiss

Security Research

1. Hackers Use TikTok Videos to Distribute Vidar and StealC Malware via ClickFix Technique: Cybercriminals are exploiting TikTok videos to distribute Vidar and StealC malware, according to security researcher Junestherry Dela Cruz. This campaign underscores the readiness of attackers to weaponize any social platform for their malicious activities. Source: The Hacker News
2. Naukri exposed recruiter email addresses, researcher says: Security researcher Lohith Gowda discovered a vulnerability in the API used by Naukri on its Android and iOS apps, which exposed recruiter email addresses. Source: Yahoo Finance
3. Researchers cause GitLab AI developer assistant to turn safe code malicious: Security researchers from Legit demonstrated an attack that tricked GitLab's AI developer assistant into inserting malicious code into a script. Source: Ars Technica
4. Chinese cyber spies are using Ivanti EPMM flaws to breach EU, US organizations: Chinese cyber spies are exploiting flaws in Ivanti EPMM to breach EU and US organizations, according to a researcher at Wiz. EclecticIQ researchers noted that UNC5221 demonstrated a deep understanding of EPMM's internal workings. Source: Help Net Security
5. Someone Found Over 180 Million User Records in an Unprotected Online Database: A security researcher discovered a massive public database of user records, spanning popular platforms like Facebook, Instagram, and Apple, left unprotected online. Source: Lifehacker

Top CVEs

1. CVE-2025-47539 - Incorrect Privilege Assignment in Themewinter Eventin: This vulnerability allows privilege escalation due to incorrect privilege assignment. It affects Eventin versions from n/a through... Source: CVE-2025-47539
2. CVE-2025-47646 - Weak Password Recovery Mechanism in Gilblas Ngunte Possi PSW Front-end Login & Registration: This vulnerability allows password recovery exploitation due to a weak password recovery mechanism. It affects PSW Front-end Login & Registration versions from n/a through... Source: CVE-2025-47646
3. CVE-2025-4379 - Reflected Cross-Site Scripting in DobryCMS: This vulnerability allows arbitrary JavaScript to be executed on the victim's browser when a specially crafted URL is opened due to improper input validation. It affects DobryCMS versions 2.* and lower. Source: CVE-2025-4379
4. CVE-2025-3580 - Access Control Vulnerability in Grafana OSS: This vulnerability allows organization administrators to permanently delete server administrator accounts, potentially leading to a complete loss of administrative control over the Grafana instance. It affects the DELETE /api/org/users/ endpoint. Source: CVE-2025-3580
5. CVE-2025-47687 - Unrestricted Upload of File with Dangerous Type in StoreKeeper B.V. StoreKeeper for WooCommerce: This vulnerability allows the upload of a web shell to a web server due to unrestricted file upload. It affects StoreKeeper for WooCommerce versions from n/a through... Source: CVE-2025-47687

API Security

1. Broken Access Control in StrangeBee TheHive: A vulnerability in StrangeBee TheHive versions 5.2.0 to 5.4.10 allows remote, authenticated, and unprivileged users to retrieve alerts, cases, logs, observables, or tasks, regardless of their permissions, through a specific API. Users are advised to update to the latest version to mitigate this risk. Source: CVE-2025-48741.
2. Server-Side Request Forgery in StrangeBee TheHive: A Server-Side Request Forgery (SSRF) vulnerability in StrangeBee TheHive versions 5.2.0 to 5.5.1 allows remote authenticated attackers with admin permissions to manipulate URLs to direct requests to unexpected hosts or ports. This can be exploited to access other servers on the internal network. Users should update to the latest version. Source: CVE-2025-48739.
3. OpenFGA Authorization Bypass: OpenFGA versions v1.8.0 to v1.8.12 are vulnerable to an authorization bypass when certain Check and ListObject calls are executed. Users are advised to upgrade to v1.8.13 to fix this vulnerability. Source: OpenFGA Authorization Bypass.
4. Access Control Vulnerability in Grafana OSS: An access control vulnerability in Grafana OSS allows an Organization administrator to permanently delete the Server administrator account. This vulnerability exists in the DELETE /api/org/users/ endpoint and can lead to a complete loss of administrative control over the Grafana instance. Source: CVE-2025-3580.
5. Unauthenticated Arbitrary File Read via Absolute Path: CVE-2025-46822 allows unauthenticated users to read internal files via an absolute path. The endpoint is not authenticated, allowing anyone to read the entire organization's files. Users are advised to ensure that the input name is a relative path and that the resolved path stays within the intended file storage root. Source: CVE-2025-46822.

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. From college students breaching data to the surge in data breach lawsuits, we've covered a lot of ground. It's clear that cybersecurity is a pressing issue that affects us all, from individuals to large corporations. The stories we've shared today underscore the importance of robust security measures and the serious consequences of failing to protect data.

But remember, cybersecurity isn't just about reacting to threats - it's about staying informed and being proactive. That's why we're here, bringing you the latest news and insights from the world of cybersecurity. Whether it's a new vulnerability or a major data breach, we've got you covered.

Before we sign off, we want to remind you that cybersecurity is a shared responsibility. If you found today's newsletter helpful, please consider sharing it with your friends and colleagues. Let's work together to create a safer digital world.

Stay safe, stay informed, and we'll see you in the next edition of Secret CISO.