Welcome to today's edition of Secret CISO, where we delve into the latest cybersecurity breaches and vulnerabilities that are shaking the digital world. Our top story reveals a massive data leak affecting 10,000 VirtualMacOSX customers, exposing sensitive personal and financial information. This breach underscores the urgent need for robust security measures to protect user data.

In a related wave of cyber incidents, Sensata Technologies and Alera Group have both disclosed significant data breaches, highlighting vulnerabilities in their cybersecurity infrastructures. Meanwhile, the Washington Post is grappling with a cyberattack targeting its journalists, raising alarms about the security of sensitive communications within media organizations.

On the legal front, Patelco Credit Union has settled a class-action lawsuit for $7.25 million following a cyberattack, marking a significant step towards compensating affected members and enhancing cybersecurity defenses.

In the realm of vulnerabilities, a critical flaw in a Microsoft-signed firmware module has been discovered, allowing attackers to bypass Secure Boot. This vulnerability serves as a stark reminder of the importance of rigorous security checks, even for trusted components.

We also spotlight Dr. Liu Yang, a cybersecurity champion recognized for her leadership in transforming research into practical solutions, and discuss the rising threat of "wrench attacks" targeting crypto wealth, emphasizing the need for personal safety measures.

Finally, we explore a series of newly disclosed vulnerabilities, including a critical buffer overflow in H3C GR-3000AX and a path traversal issue in M-Files Server, urging immediate attention and patching to safeguard systems from potential exploits.

Stay informed and vigilant as we navigate these turbulent cybersecurity waters together.

Data Breaches

1. Hackers Leak Data of 10,000 VirtualMacOSX Customers in Alleged Breach: Hackers have reportedly leaked the data of 10,000 VirtualMacOSX customers, exposing sensitive information such as names, emails, passwords, and financial data on a hacking forum. This breach has raised significant concerns about the security measures in place to protect user data. Source: Hackread.
2. Sensata Technologies Discloses Data Breach Due to Ransomware: Sensata Technologies has informed both past and present employees of a data breach following a ransomware attack in April. The breach has highlighted vulnerabilities in the company's cybersecurity infrastructure, prompting a review of their security protocols. Source: iZOOlogic.
3. Alera Group Reports Data Breach: Alera Group has reported a data breach that may have exposed sensitive information, including names, Social Security numbers, medical records, and financial account details. The company is currently investigating the breach and taking steps to mitigate any potential damage. Source: Coverager.
4. Washington Post Investigating Cyberattack on Journalists: The Washington Post is investigating a cyberattack that targeted the emails of its journalists, including those on the national security and economic policy teams. This breach has raised concerns about the security of sensitive communications within media organizations. Source: DataBreaches.Net.
5. Patelco Agrees to Settle Class-Action Lawsuit Over Cyberattack for $7.25M: Patelco Credit Union has agreed to settle a class-action lawsuit for $7.25 million following a cyberattack that caused systemwide outages last summer. The settlement aims to compensate affected members and improve the organization's cybersecurity measures. Source: Pleasanton Weekly.

Security Research

1. Microsoft-Signed Firmware Module Bypasses Secure Boot: A newly discovered vulnerability allows a Microsoft-signed firmware module to bypass Secure Boot, a critical security feature designed to prevent unauthorized code from running during the boot process. This flaw could potentially be exploited by attackers to install persistent malware on a system, evading traditional security measures. The discovery underscores the importance of rigorous security checks even for trusted components. Source: BankInfoSecurity.
2. Meet GI's Cybersecurity Champion: Dr. Liu Yang, Executive Director, CyberSG R&D Programme Office: Dr. Liu Yang is recognized for her leadership in translating cybersecurity research prototypes into practical solutions for national security agencies and industry. Her work at CyberSG R&D Programme Office highlights the critical role of research in advancing cybersecurity capabilities and fostering innovation. Source: GovInsider.
3. For those with crypto wealth, beware the wrench attack: In a discussion on The Excerpt, experts highlight the growing threat of "wrench attacks," where physical force is used to extract cryptocurrency keys from individuals. This underscores the need for robust security measures beyond digital protections, emphasizing personal safety and secure storage practices for digital assets. Source: YouTube.

Top CVEs

1. CVE-2025-6092: A vulnerability in comfyanonymous comfyui up to version 0.3.39 allows for cross-site scripting via the /upload/image component. This issue can be exploited remotely, and the exploit has been publicly disclosed. The vendor was contacted but did not respond. Source: Vulners.
2. CVE-2024-25573: Unsanitized user-supplied data in the PingFederate Administrative Console can lead to the execution of JavaScript code, posing a security risk. Source: Vulners.
3. CVE-2025-5964: A path traversal vulnerability in M-Files Server before version 25.6.14925.0 allows authenticated users to read arbitrary files, posing a significant security risk. Source: Vulners.
4. CVE-2025-6091: A critical buffer overflow vulnerability in H3C GR-3000AX V100R007L50 can be exploited remotely via the UpdateWanParamsMulti/UpdateIpv6Params function. The vendor acknowledges the issue but has not prioritized an immediate fix. Source: Vulners.
5. CVE-2025-6094: FoxCMS up to version 1.2.5 is affected by a critical SQL injection vulnerability in the batchCope function, which can be exploited remotely. The exploit has been publicly disclosed. Source: Vulners.

API Security

1. CVE-2025-6098: A critical vulnerability was discovered in UTT 进取 750W up to version 5.0, affecting the strcpy function in the API component. The flaw allows remote attackers to initiate a buffer overflow attack via the passwd1 argument. Despite early notification, the vendor has not responded, and the exploit is publicly available. Source: Vulners.
2. CVE-2025-5964: M-Files Server, prior to version 25.6.14925.0, contains a path traversal vulnerability in its API endpoint. This flaw permits authenticated users to read files from the server, posing a significant security risk. Source: Vulners.
3. CVE-2025-5990: Crafty Controller's API Key and Server Name form components are vulnerable to input neutralization issues, allowing remote attackers to execute stored XSS attacks. This vulnerability requires authentication but poses a risk of malicious script execution. Source: Vulners.
4. Exploit for CVE-2025-29927: A critical vulnerability in Next.js allows attackers to bypass authorization checks in middleware. A proof of concept demonstrates how attackers can access protected routes using the x-middleware-subrequest header, highlighting the need for immediate patching. Source: Vulners.

Sponsored by Wallarm API Security Solution

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the cybersecurity landscape is as dynamic and challenging as ever. From data breaches affecting thousands of users to critical vulnerabilities in widely-used systems, the need for robust security measures and constant vigilance cannot be overstated.

We explored the alarming data leaks from VirtualMacOSX and Sensata Technologies, highlighting the vulnerabilities that can affect both companies and individuals. The Washington Post's investigation into a cyberattack on its journalists reminds us of the importance of securing sensitive communications, especially in media organizations. Meanwhile, the settlement by Patelco Credit Union underscores the financial and reputational impacts of cyberattacks.

On the technical front, the discovery of vulnerabilities like the Microsoft-signed firmware module bypassing Secure Boot and the various CVEs affecting different platforms serve as a stark reminder of the ongoing battle against potential exploits. These issues emphasize the critical need for timely updates and patches to safeguard systems.

We also celebrated the achievements of cybersecurity champions like Dr. Liu Yang, whose work in translating research into practical solutions is crucial for advancing our defenses against cyber threats. And for those in the crypto world, the discussion on "wrench attacks" serves as a cautionary tale about the importance of physical security in addition to digital protections.

If you found today's insights valuable, please consider sharing this newsletter with your friends and colleagues. Together, we can build a more informed and resilient community, better equipped to tackle the challenges of cybersecurity. Stay safe, stay informed, and see you in the next edition of Secret CISO!