Welcome to today's edition of Secret CISO, where we unravel the intricate web of cybersecurity threats and vulnerabilities that shape our digital landscape. As we dive into today's stories, a common thread emerges: the relentless evolution of cyber threats and the urgent need for robust defenses.

In the retail sector, United Natural Foods finds itself in the crosshairs of a significant cyber attack, a stark reminder of the boldness of threat actors targeting sensitive consumer data. Meanwhile, the insurance industry isn't spared, as Erie Insurance grapples with disruptions from a cyberattack, underscoring the pervasive nature of these threats.

Innovative attack vectors are on the rise, with SmartAttack exploiting smartwatches to breach air-gapped systems, and a Google bug revealing vulnerabilities in user privacy. These incidents highlight the sophistication of cybercriminals and the pressing need for innovative security solutions.

Data breaches continue to plague various sectors, from a popular hookup app exposing millions of users' data to a Connecticut orthopedic practice facing legal repercussions. These breaches emphasize the critical importance of data protection and the consequences of human error.

In the realm of vulnerabilities, we uncover flaws in widely used technologies, from Chrome's remote code execution vulnerabilities to Microsoft's Copilot zero-click attack risk. These discoveries serve as a wake-up call for continuous vigilance and timely updates to safeguard against potential exploits.

Join us as we delve deeper into these stories, exploring the implications and strategies to fortify your defenses in an ever-evolving threat landscape. Stay informed, stay secure.

Data Breaches

1. Retail cyber attacks surge as United Natural Foods hit by breach: United Natural Foods has been targeted in a significant cyber attack, highlighting the increasing boldness of threat actors in the retail sector. The breach underscores the need for enhanced security measures to protect sensitive data and maintain consumer trust. Source: Security Brief UK.
2. SmartAttack uses smartwatches to steal data from air-gapped systems: A novel cyber attack method, dubbed SmartAttack, leverages smartwatches to exfiltrate data from air-gapped systems, posing a new challenge for cybersecurity defenses. This breach demonstrates the evolving tactics of cybercriminals and the need for innovative security solutions. Source: Bleeping Computer.
3. Erie Insurance confirms cyberattack behind business disruptions: Erie Insurance experienced a cyberattack that led to significant business disruptions. The company has taken immediate action to secure its systems, but the incident highlights the ongoing threat of cyberattacks to the insurance industry. Source: Bleeping Computer.
4. Major data breach at popular hookup app leaks data on millions of users: A major data breach at a popular hookup app has exposed the personal information of millions of users. This incident underscores the risks associated with human error and the importance of robust data protection measures. Source: TechRadar.
5. Conn. Orthopedic Practice Faces Data Breach Class Claims: A data breach at a Connecticut orthopedic practice has led to class action claims, with personal and health data of patients being exposed. This breach highlights the vulnerabilities in healthcare data security and the potential legal repercussions. Source: Law360.

Security Research

1. Google Bug Allowed Brute-Forcing of Any User Phone Number: A security researcher known as Brutecat discovered a vulnerability in Google's password recovery page that allowed attackers to brute-force any user's phone number. This flaw posed a significant risk to user privacy and security, prompting Google to address the issue swiftly. Source: Dark Reading.
2. New Security Flaw Allows Eavesdropping via Laptop and Smart Speaker Microphones: Researchers identified a security flaw that enables eavesdropping through the microphones of laptops, Google Home smart speakers, and video conferencing headsets. This vulnerability highlights the potential for unauthorized audio surveillance, raising concerns about privacy in everyday devices. Source: TechXplore.
3. SinoTrack GPS Devices Vulnerable to Remote Vehicle Control via Default Passwords: Security researcher Raúl Ignacio Cruz Jiménez discovered vulnerabilities in SinoTrack GPS devices that could allow remote vehicle control through default passwords. This finding underscores the importance of securing IoT devices to prevent unauthorized access and potential misuse. Source: The Hacker News.
4. Critical Flaw in Microsoft Copilot Could Have Allowed Zero-Click Attack: A significant vulnerability in Microsoft Copilot was identified, which could have enabled zero-click attacks. This flaw represents a breakthrough in AI security research, demonstrating the potential risks associated with AI agents and the need for robust security measures. Source: Cybersecurity Dive.
5. Multiple Chrome Vulnerabilities Allow Attackers to Execute Malicious Code Remotely: Recent updates to Chrome addressed critical security vulnerabilities that allowed remote code execution. These fixes, discovered by external security researchers, highlight the ongoing need for vigilance and timely updates to protect against potential exploits. Source: Cybersecurity News.

Top CVEs

1. CVE-2025-4673: Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information. This vulnerability could allow attackers to intercept and misuse sensitive data during cross-origin requests. Source: Vulners.
2. CVE-2025-22874: Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabled policy validation. This issue affects certificate chains with policy graphs, potentially compromising the integrity of secure communications. Source: Vulners.
3. CVE-2025-0913: os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. This inconsistency could lead to unintended file creation or errors, affecting cross-platform applications. Source: Vulners.
4. CVE-2025-26383: The iSTAR Configuration Utility (ICU) tool leaks memory, potentially exposing unauthorized data from the Windows PC running ICU. This vulnerability could lead to data breaches and unauthorized access to sensitive information. Source: Vulners.
5. CVE-2025-32711: Ai command injection in M365 Copilot allows an unauthorized attacker to disclose information. This vulnerability could be exploited to gain unauthorized access to sensitive data and compromise system integrity. Source: Vulners.

API Security

1. The Events Calendar Plugin Vulnerability (CVE-2025-5144): The Events Calendar plugin for WordPress has a vulnerability in versions up to 6.13.2, allowing authenticated attackers with Contributor-level access to inject arbitrary web scripts. This is due to insufficient input sanitization and output escaping, leading to potential Stored Cross-Site Scripting attacks. Source: Vulners.
2. Mattermost LDAP Search Filter Injection: Mattermost versions 10.7.x to 9.11.13 have a vulnerability that allows an authenticated administrator to execute LDAP search filter injection. This occurs due to improper validation of LDAP group ID attributes, posing a risk when objectGUID is configured as the Group ID. Source: Vulners.
3. Mattermost Guest User Information Exposure: In Mattermost versions 10.5.x to 9.11.13, guest users can bypass permissions and view information about public teams they are not members of. This is due to improper restriction of API access to team information, allowing unauthorized data exposure. Source: Vulners.
4. SunGrow iSolarCloud MQTT Vulnerability (CVE-2025-29756): SunGrow's iSolarCloud system has a vulnerability in its MQTT service, which lacks sufficient restrictions on topic subscriptions. Attackers with an account can extract MQTT credentials and decryption keys to subscribe to all topics, potentially accessing all messages from connected devices. Source: Vulners.

Sponsored by Wallarm API Security Solution

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the cyber landscape is as dynamic and challenging as ever. From the retail sector's escalating threats to the innovative yet alarming SmartAttack, the need for robust security measures is more pressing than ever. Each incident, whether it's the breach at United Natural Foods or the vulnerabilities in SinoTrack GPS devices, serves as a stark reminder of the evolving tactics of cybercriminals and the importance of staying vigilant.

In the world of cybersecurity, knowledge is power. By understanding the latest threats, like the critical flaw in Microsoft Copilot or the vulnerabilities in Chrome, we can better prepare and protect our systems. These stories are not just headlines; they are lessons in the ever-evolving game of cat and mouse between defenders and attackers.

We hope you found today's insights valuable and that they empower you to enhance your security posture. If you did, why not share this newsletter with your friends and colleagues? Together, we can build a more informed and resilient community, ready to tackle the challenges of tomorrow.

Stay safe, stay informed, and see you in the next edition of Secret CISO!