Good morning, Secret CISO readers! Today's newsletter is packed with critical updates on the latest security breaches and how they're impacting various sectors. First up, we delve into the recent security concerns raised by Hegseth's use of passwords, as reported by The Seattle Times. This incident has sparked a broader conversation about the importance of secure password practices, especially in high-profile roles.

Next, we turn our attention to the education sector, where North Carolina educators have been targeted in a repeat data breach. This alarming development underscores the urgent need for robust data security measures in our schools. In the cloud security realm, Dark Reading provides an insightful guide to Infrastructure as Code (IaC), highlighting the importance of keeping your security measures up to speed with your cloud infrastructure. In a related story, we examine the fallout from a massive data breach at a top jobseeker platform, which resulted in over 1.1 million user files being leaked.

Finally, we explore the implications of a recent report from HIPAA Journal on HIPAA Compliance for Software Development, emphasizing the crucial role of trust and data security in the crowded software market. Stay tuned for more updates and in-depth analysis on these stories and more in today's Secret CISO newsletter.

Data Breaches

1. Hegseth's use of passwords raises new security concerns: Passwords belonging to Waltz, a former national security adviser, have been exposed in internet breaches, raising new security concerns. Source: The Seattle Times
2. North Carolina educators targeted again: Data breach repeat raises alarms: North Carolina state education officials report a threat actor claiming to have student data months after a data breach involving hacked data management contractor PowerSchool. Source: CBS 17
3. Over 1.1 million user files leaked following huge data breach at top jobseeker platform: A significant data breach at a leading jobseeker platform has resulted in the leak of over 1.1 million user files. Source: TechRadar
4. ABC13 pressing AG for answers after Alvin ISD data breach info is released a year after event: A data breach at Alvin ISD in 2024 was only made public recently, prompting ABC13 to question the Office of Attorney General about the delay in disclosure. Source: ABC13
5. Starkville Utilities Data Breach Lawsuit Investigation: Starkville Utilities is under investigation following a data breach, with potential for a class action lawsuit to recover money for exposure of customer information. Source: ClassAction.org

Security Research

1. Lazarus Group targets South Korean supply chains via software flaws: The Lazarus Group, a notorious hacking collective, has been exploiting software vulnerabilities to target South Korean supply chains. Kaspersky's GReAT team emphasizes the need for proactive cybersecurity measures to counter such threats. Source: IT Brief Asia
2. Scammers taking advantage of confusion over REAL ID to steal money, identities: Cybersecurity group Huntress warns of scammers exploiting the confusion around REAL ID to steal money and identities. They are reportedly sending fake emails and texts to unsuspecting victims. Source: ABC7 Chicago
3. Over 19 billion passwords have been leaked in security 'crisis': A recent analysis reveals a massive security crisis with over 19 billion passwords leaked. The leaked data is loaded with information that could be used to steal accounts or impersonate affected individuals. Source: The Independent
4. Jailbreakers Use Invisible Characters to Beat AI Guardrails: In a new development, jailbreakers are using invisible characters to bypass AI guardrails. The National Institute of Standards and Technology (NIST) is studying this phenomenon. Source: BankInfoSecurity
5. Pegasus Spyware Verdict 'Incredible Moment' for Longtime Critics: The verdict on the Pegasus spyware is being hailed as an 'incredible moment' by longtime critics. Despite its intended use for combating crime and terrorism, governments have been found to misuse the technology for surveillance. Source: Bloomberg

Top CVEs

1. Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ: A vulnerability in Apache ActiveMQ could lead to excessive memory allocation and be exploited to cause a denial of service (DoS) by depleting process memory. This issue affects versions from 6.0.0 before 6.1.6, from 5.18.0 before 5.18.7, from 5.17.0 before 5.17.7, before 5.16.8. Users are recommended to upgrade to a fixed version. Source: CVE-2025-27533
2. Heap buffer overflow in gnuplot: Gnuplot is affected by a heap buffer overflow vulnerability. No further details are provided. Source: CVE-2025-31177
3. Privilege Escalation in Frontend Dashboard plugin for WordPress: The Frontend Dashboard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check. This makes it possible for unauthenticated attackers to reset the administrator’s email and password, and elevate their privileges. Source: CVE-2025-4104
4. Stored cross-site scripting vulnerability in i-Educar: i-Educar, a fully online school management software, fails to properly validate and sanitize user supplied input, leading to a stored cross-site scripting vulnerability. This could allow a malicious user to retrieve information belonging to another user, leading to sensitive information leakage or other malicious actions. Source: CVE-2024-55651
5. Unauthorized write access vulnerability: An admin user can gain unauthorized write access to the /etc/rc.local file on the device, which is executed on a system. No further details are provided. Source: CVE-2025-4043

API Security

1. Cisco IOS XE Software Network Configuration Access Control Module Vulnerability: A vulnerability in the Network Configuration Access Control Module (NACM) of Cisco IOS XE Software could allow an authenticated, remote attacker to obtain unauthorized read access to configuration or operational data due to a subtle change in inner API call behavior. Source: CVE-2025-20214
2. Cisco Catalyst Center Management API Vulnerability: A vulnerability in the management API of Cisco Catalyst Center could allow an unauthenticated, remote attacker to read and modify the outgoing proxy configuration settings due to the lack of authentication in an API endpoint. Source: CVE-2025-20210
3. Cisco Catalyst SD-WAN Manager Application Data Endpoints Vulnerability: A vulnerability in the application data endpoints of Cisco Catalyst SD-WAN Manager could allow an authenticated, remote attacker to write arbitrary files to an affected system due to improper validation of requests to APIs. Source: CVE-2025-20187
4. Cisco IOS XE Software for Wireless LAN Controllers Vulnerability: A vulnerability in the Out-of-Band Access Point (AP) Image Download feature of Cisco IOS XE Software for Wireless LAN Controllers could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system due to the presence of a hard-coded JSON Web Token (JWT) on an affected system. Source: CVE-2025-20188
5. Cisco IOS XE Wireless Controller Software Lobby Ambassador Web Interface Vulnerability: A vulnerability in the lobby ambassador web interface of Cisco IOS XE Wireless Controller Software could allow an authenticated, remote attacker to remove arbitrary users that are defined on an affected device due to insufficient access control of actions executed by lobby ambassador users. Source: CVE-2025-20190

Sponsored by Wallarm API Security Solution

Final Words

That's it for today's edition of Secret CISO. We've covered a lot of ground, from the alarming security concerns raised by Hegseth's use of passwords to the repeated data breaches targeting North Carolina educators. We've also delved into the power and potential pitfalls of Infrastructure as Code (IaC) and the worrying trend of ransom demands linked to cyberattacks on school boards.

Remember, staying informed is the first step in staying secure. Share this newsletter with your friends and colleagues to keep them in the loop on the latest cybersecurity news. Stay safe and secure until our next edition of Secret CISO.