Welcome to today's edition of Secret CISO, where we unravel the intricate web of cybersecurity threats and vulnerabilities that shape our digital landscape. Today's issue is a gripping tale of breaches, vulnerabilities, and the relentless pursuit of digital safety.

We begin with a seismic data breach at AT&T, where 86 million customer records, including 44 million Social Security Numbers, have been compromised, igniting fears of identity theft on an unprecedented scale. This breach is a stark reminder of the vulnerabilities lurking within our most trusted service providers.

Meanwhile, SentinelOne has unveiled new details about a breach attempt linked to Chinese actors, underscoring the persistent threat of state-sponsored cyber activities. This revelation serves as a wake-up call for cybersecurity vendors to bolster their defenses against sophisticated international hacking groups.

In the realm of education, Mastery Schools has notified over 37,000 individuals of a data breach that exposed sensitive information, raising questions about the security protocols in educational institutions. Similarly, the healthcare sector is under siege, with Epworth Healthcare and Jackson Health System grappling with breaches that threaten patient privacy.

On the technical front, Google has patched a vulnerability that could have exposed users' phone numbers, while researchers have discovered malicious npm packages designed to wipe out systems, emphasizing the need for vigilance in software development.

Our journey continues with a deep dive into critical vulnerabilities affecting popular platforms like Salesforce, Apache Kafka, and Fortinet products. These vulnerabilities highlight the urgent need for organizations to audit and secure their systems against potential exploits.

Join us as we navigate these turbulent waters, offering insights and strategies to fortify your defenses in an ever-evolving cyber landscape. Stay informed, stay secure.

Data Breaches

1. Major data breach exposes 86 million AT&T customer records, sparking identity theft fears: A significant data breach has exposed 86 million AT&T customer records, including over 44 million Social Security Numbers, raising serious concerns about identity theft. The breach has sparked widespread attention due to the sheer volume of sensitive data compromised. Source
2. SentinelOne shares new details on China-linked breach attempt: SentinelOne has revealed new insights into a breach attempt linked to Chinese actors, highlighting the ongoing threat of state-sponsored cyber activities. This disclosure underscores the persistent risks posed by sophisticated international hacking groups. Source
3. Mastery Schools Notifies 37,031 of Major Data Breach: Mastery Schools has informed over 37,000 individuals about a data breach that occurred in September 2024, which exposed sensitive information such as Social Security numbers and medical details. The breach has raised concerns about the security of educational institutions' data handling practices. Source
4. Victorian hospital provider suffers alleged data breach: Epworth Healthcare, a private hospital group in Victoria, has reportedly suffered a data breach after a ransomware group leaked 40 gigabytes of data. This incident highlights the vulnerability of healthcare providers to cyberattacks and the potential impact on patient privacy. Source
5. Jackson Health System discloses insider data breach affecting over 2000 patients: Jackson Health System has reported an insider data breach involving unauthorized access to protected health information of over 2000 patients. This incident emphasizes the risks posed by internal threats within healthcare organizations. Source

Security Research

1. Google Vulnerability Leaking Phone Numbers Remediated: A security researcher discovered a vulnerability in Google's account recovery system that could have exposed users' phone numbers. The flaw allowed attackers to automate the guessing of phone numbers by bypassing Google's anti-bot mechanism. Google has since fixed the issue to prevent potential exploitation. Source: SC Media
2. SentinelOne Warns Cybersecurity Vendors of Chinese Attacks: SentinelOne has alerted cybersecurity vendors about ongoing attacks from Chinese threat actors. The company emphasizes the need for heightened vigilance and collaboration among security vendors to counter these sophisticated threats. The warning highlights the importance of proactive defense strategies in the cybersecurity community. Source: Infosecurity Magazine
3. Rust-based Myth Stealer Malware Spread via Fake Gaming Sites: Security researchers have identified a new malware, Myth Stealer, which is being distributed through fake gaming websites. This Rust-based malware targets users of Chrome and Firefox, aiming to steal sensitive information. The discovery underscores the need for users to be cautious when downloading software from unverified sources. Source: The Hacker News
4. Poisoned npm Packages Aim for System Wipeout: Researchers from Socket Security have uncovered malicious npm packages designed to wipe out systems. These packages disguise themselves as utilities but contain destructive payloads. The finding serves as a reminder for developers to scrutinize third-party packages before integrating them into their projects. Source: Dark Reading
5. Five Zero-Days, 15 Misconfigurations Found in Salesforce Industry Cloud: Security researchers have discovered five zero-day vulnerabilities and 15 misconfigurations in Salesforce's Industry Cloud. These issues could potentially expose sensitive customer data if exploited. The findings highlight the critical need for organizations to regularly audit and secure their cloud configurations. Source: SecurityWeek

Top CVEs

1. CVE-2024-47081: Requests, a popular HTTP library, has a URL parsing issue that may leak .netrc credentials to third parties through specific maliciously-crafted URLs. Users are advised to upgrade to version 2.32.4 to mitigate this vulnerability. For older versions, disabling the use of the .netrc file with trust_env=False is recommended. Source.
2. CVE-2025-27818: Apache Kafka has a security vulnerability that allows an authenticated operator to execute Java deserialization gadget chains on the Kafka Connect server. This is possible by setting the sasl.jaas.config property to "com.sun.security.auth.module.LdapLoginModule" via various override properties. Users should ensure proper configuration to avoid unrestricted deserialization of untrusted data. Source.
3. CVE-2025-49651: Lablup's BackendAI has a missing authorization vulnerability that allows attackers to take over all active sessions, accessing, stealing, or altering any data accessible in the session. This affects all current versions, and users should be vigilant about session management. Source.
4. CVE-2025-5888: A cross-site request forgery vulnerability has been identified in jsnjfz WebStack-Guns 1.0. The exploit has been publicly disclosed, and the vendor has not responded to the disclosure. Users should be cautious of remote attacks that could exploit this vulnerability. Source.
5. CVE-2025-5903: TOTOLINK T10 4.1.8cu.5207 has a critical buffer overflow vulnerability in the setWiFiAclRules function of the POST Request Handler. This vulnerability can be exploited remotely, and the exploit has been disclosed publicly. Users should update their systems to prevent potential attacks. Source.

API Security

1. CVE-2025-22254: An Improper Privilege Management vulnerability in Fortinet products allows an authenticated attacker with read-only admin permissions to gain super-admin privileges via crafted requests to Node.js websocket. This affects FortiOS, FortiProxy, and FortiWeb versions. Source.
2. CVE-2024-45329: An authorization bypass vulnerability in Fortinet FortiPortal allows an authenticated attacker to view unauthorized device information by modifying keys in the API. This affects multiple versions of FortiPortal. Source.
3. CVE-2025-49142: A vulnerability in Nautobot's Jinja2 templating feature allows a malicious user to expose Secrets or modify data by bypassing object permissions. This affects versions prior to 2.4.10 and 1.6.32. Source.
4. CVE-2025-48937: The matrix-rust-sdk library fails to validate the sender of encrypted events, allowing a malicious homeserver operator to modify events. This affects versions 0.8.0 to 0.11.0. Source.
5. CVE-2024-40625: GeoServer's Coverage REST API allows attackers to upload files with a specified URL without restriction, leading to potential vulnerabilities. Source.

Sponsored by Wallarm API Security Solution

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the cyber landscape continues to evolve with both familiar and emerging threats. From major data breaches affecting millions to sophisticated state-sponsored attacks, the importance of staying informed and vigilant cannot be overstated. Each story serves as a reminder of the critical role cybersecurity plays in protecting our personal and professional lives.

Whether it's the exposure of sensitive customer records, the discovery of new vulnerabilities, or the ongoing battle against malware, these incidents highlight the need for robust security measures and proactive defense strategies. As cybersecurity professionals, sharing knowledge and insights is key to building a more secure digital world.

If you found today's newsletter insightful, consider sharing it with your friends and colleagues. By spreading awareness, we can collectively strengthen our defenses and stay one step ahead of potential threats. Together, let's continue to navigate the complexities of cybersecurity with confidence and resilience.

Thank you for being a part of the Secret CISO community. Stay safe, stay informed, and see you in the next edition!