Welcome to today's issue of Secret CISO, your daily dose of the latest in cybersecurity. Today, we're diving into a series of data breaches and security measures that have been making headlines. First up, we have a $2.6M settlement by a debt agency to end data breach claims, along with significant changes to their data security measures. Meanwhile, a debt collections agency in Tennessee is facing its fifth federal lawsuit following a data breach. In whistleblower news, an NLRB employee is encouraging federal workers to speak up after uncovering a potential data breach by DOGE engineers. Community Capital Management has also experienced a data breach, with exposed info potentially leading to legal action and financial recovery for affected individuals. In Georgia, Cobb County has confirmed that a recent data breach was the result of a ransom attack, compromising the information of at least 10 people. On the tech front, the Social Security Administration is rolling out digital Social Security cards, and the Department of Defense is fast-tracking software security reviews. In hacking news, the Co-op hack was reportedly far worse than initially reported, with data stolen by affiliates of the DragonForce ransomware group. A phony hacktivist has also pleaded guilty to leaking sensitive data from Disney. Finally, we'll look at security trends reshaping enterprise resilience into 2027, and how chip-level security is moving to the forefront. Stay tuned for more details on these stories and more in today's issue of Secret CISO.

Data Breaches

1. Debt Agency Agrees to $2.6M Deal To End Data Breach Claims: A debt collections agency has agreed to a $2.6 million settlement following a data breach. The settlement includes significant changes to business practices aimed at strengthening the agency's data security measures. Source: Law360
2. NLRB Whistleblower Uncovers Potential Data Breach: Daniel Berulis, a whistleblower at the National Labor Relations Board (NLRB), has encouraged federal workers to speak up after uncovering a potential data breach by DOGE engineers at the NLRB. Source: Federal News Network
3. Data Breach at Community Capital Management: Community Capital Management has suffered a data breach, exposing sensitive information. Those affected who received a letter in the mail could potentially take legal action and recover money. Source: Class Action Lawsuits
4. Ransom Attack Confirmed in Cobb County Data Breach: Cobb County, Georgia, has confirmed that a data breach in March, which compromised the information of at least 10 people, was a ransom attack. Source: GovTech
5. Hacktivist Pleads Guilty to Disney Data Leak: Ryan Mitchell Kramer, who claimed to be part of a Russian hacktivist group protecting artists' rights, has pleaded guilty to stealing sensitive data from Disney. Source: Dark Reading

Security Research

1. Microsoft RDP Allows Login with Expired Passwords: Security researcher Daniel Wade has discovered a concerning feature in Microsoft's Remote Desktop Protocol (RDP) that allows users to log in with expired passwords. Microsoft reportedly has no plans to fix this issue, raising potential security concerns. Source: MSN
2. OpenAI Retains Nonprofit Oversight Amid For-Profit Shift: OpenAI, transitioning to a for-profit model, has formed an internal committee to oversee safety and security decisions company-wide. This move is seen as a way to maintain ethical standards in AI development and deployment. Source: BankInfoSecurity
3. 'Venom Spider' Phishing Scheme Targets Hiring Managers: Security researchers at Arctic Wolf have identified a phishing campaign, dubbed 'Venom Spider', that specifically targets hiring managers and recruiters with specialized spear-phishing emails. Source: Dark Reading
4. AI-Enabled App Development Outpacing Cybersecurity Controls: With over 15 years of experience in information security, expert Luttwak warns that the rapid pace of AI-enabled app development is outstripping cybersecurity controls, potentially leading to increased vulnerabilities. Source: BankInfoSecurity
5. Microsoft Finds Default Kubernetes Helm Charts Can Expose Data: A report by Microsoft security researchers warns that default configurations in Kubernetes Helm charts, which lack proper security controls, can create a severe security threat by exposing data. Source: Bleeping Computer

Top CVEs

1. Heap buffer overflow in Google Chrome (CVE-2025-4096): A remote attacker could potentially exploit heap corruption via a crafted HTML page in Google Chrome prior to 136.0.7103.59. This vulnerability is due to a heap buffer overflow in HTML. Source: CVE-2025-4096
2. Vulnerability in Request Tracker v5.0.7 (CVE-2025-2545): The Triple DES (3DES) cryptographic algorithm used within SMIME code to encrypt S/MIME emails in Best Practical Solutions, LLC's Request Tracker v5.0.7 is considered obsolete and insecure due to its susceptibility to birthday attacks. This could compromise the confidentiality of encrypted data. Source: CVE-2025-2545
3. XML External Entity vulnerability in WSO2 API Manager (CVE-2025-2905): An XML External Entity (XXE) vulnerability exists in the gateway component of WSO2 API Manager due to insufficient validation of XML input in crafted URL paths. This could allow an unauthenticated remote attacker to read files from the server’s filesystem or perform denial-of-service (DoS) attacks. Source: CVE-2025-2905
4. Vulnerability in TOTOLINK A720R 4.1.5cu.374 (CVE-2025-4270): An unknown function of the file /cgi-bin/cstecgi.cgi of the component Config Handler in TOTOLINK A720R 4.1.5cu.374 is vulnerable to information disclosure. The manipulation of the argument topicurl with the input getInitCfg/getSysStatusCfg leads to this vulnerability. Source: CVE-2025-4270
5. Inappropriate implementation in Google Chrome DevTools (CVE-2025-4052): In Google Chrome prior to 136.0.7103.59, a remote attacker who convinced a user to engage in specific UI gestures could bypass discretionary access control via a crafted HTML page due to inappropriate implementation in DevTools. Source: CVE-2025-4052

API Security

1. Incorrect access control in One v1.0: The component /api/user/manager of One v1.0 has incorrect access control that allows attackers to access sensitive information via a crafted request. This vulnerability is a significant security risk as it can lead to unauthorized access to sensitive data. Source: CVE-2025-45614
2. Admin rights vulnerability in brcc v1.2.0: Incorrect access control in the /admin/** API of brcc v1.2.0 allows attackers to gain access to Admin rights via a crafted request. This vulnerability poses a severe threat as it can lead to unauthorized administrative access. Source: CVE-2025-45616
3. Access control issue in Xinguan v0.0.1-SNAPSHOT: Incorrect access control in the /system/user/findUserList API of Xinguan v0.0.1-SNAPSHOT allows attackers to access sensitive information via a crafted request. This vulnerability is a significant security risk as it can lead to unauthorized access to sensitive data. Source: CVE-2025-45608
4. Authentication bypass in BuddyBoss Platform Pro plugin: The BuddyBoss Platform Pro plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.7.01. This is due to insufficient verification on the user being supplied during the Apple OAuth authenticate request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user's Apple ID. Source: CVE-2025-1909
5. Web Server Resource Exhaustion in Mobile Security Framework (MobSF): MobSF versions <= v4.3.2 are vulnerable to a ZIP of Death (zip bomb) attack. This functionality lacks a check on the total uncompressed size of the ZIP file, making it vulnerable to a ZIP of Death attack. An attacker can exhaust the server's disk space, leading to a complete denial of service (DoS) not just for MobSF, but also for any other applications or websites hosted on the same server. Source: GHSA-C5VG-26P8-Q8CR

Sponsored by Wallarm API Security Solution

Final Words

As we wrap up today's edition of Secret CISO, we're reminded of the importance of vigilance and proactive measures in the face of ever-evolving security threats. From data breaches at debt agencies to ransom attacks on local governments, the need for robust security measures has never been more apparent. In the midst of these challenges, we also see promising developments, such as the Pentagon's plans to fast-track software security reviews and the move towards digital Social Security cards. These advancements, coupled with the tireless work of security researchers, give us hope for a more secure future. Remember, security isn't just the responsibility of a select few - it's a team effort. So, share this newsletter with your colleagues and friends, and let's work together to create a safer digital world. Stay safe, stay informed, and stay ahead with Secret CISO.