Welcome to today's edition of Secret CISO, where we unravel the intricate web of cybersecurity incidents and vulnerabilities shaping our digital landscape. Today's stories weave a narrative of breaches, vulnerabilities, and the relentless evolution of cyber threats.

In the heart of San Diego, a data breach involving automated license plate readers raises alarms about privacy and data sharing across agencies. Meanwhile, UBS grapples with the aftermath of a ransomware attack, exposing employee data to potential exploitation. As T-Mobile begins distributing settlement checks for a past data breach, the echoes of compromised information remind us of the enduring impact of such incidents.

Cybercriminals continue to challenge security norms, with World Leaks claiming a massive data theft from a state agency contractor, and Belk facing lawsuits for failing to protect private information. In the automotive world, a hack into Tesla's firmware hints at exciting developments, while a critical vulnerability in Langflow demands immediate attention to prevent further exploitation.

The digital underworld remains as dynamic as ever, with ransomware thriving amidst shifting criminal landscapes. A staggering 40,000 cameras exposed online highlight the urgent need for IoT security, and a zero-click vulnerability in Microsoft Copilot underscores the emerging risks in AI technologies.

On the technical front, vulnerabilities like CVE-2025-23121 and CVE-2025-44951 present significant risks, while the Python library urllib3's redirect control flaw in browsers and Node.js environments poses potential SSRF threats. The Linux kernel and WordPress plugins also face critical vulnerabilities, emphasizing the need for vigilant patching and security measures.

Join us as we delve into these stories, exploring the ever-evolving challenges and innovations in cybersecurity. Stay informed, stay secure.

Data Breaches

1. San Diego Police License Plate Reader Data Breach: The San Diego Police Department admitted to a data breach involving their automated license plate readers in the early days of the program. Privacy advocates are concerned about potential data breaches and cross-agency data sharing. Source: Times of San Diego.
2. UBS Employee Data Leak After Ransomware Attack: UBS confirmed a data leak affecting employee information following a ransomware attack on one of its suppliers. The stolen data could potentially be used for blackmail or money laundering. Source: SiliconANGLE.
3. T-Mobile Data Breach Settlement Checks: Settlement payouts for a 2021 T-Mobile data breach are now being distributed to affected customers. This breach had previously exposed sensitive customer information, leading to a class-action lawsuit. Source: CNET.
4. World Leaks Claims Data Theft from State Agency Contractor: The cybercriminal gang World Leaks, formerly known as Hunters International, claims to have stolen 52.4 gigabytes of data from a state agency contractor. This breach includes over 42,000 files, raising concerns about the security of government contractors. Source: BankInfoSecurity.
5. Belk Data Breach Lawsuits: Belk is facing lawsuits for failing to protect private information during a data breach that occurred between May 7 and May 11. The company has been criticized for not notifying affected individuals promptly. Source: Law360.

Security Research

1. Tesla Model Y Hack Reveals Possible 6-Seat Version Coming: A security researcher known as GreenTheOnly discovered potential indications of a six-seat version of the Tesla Model Y by examining the vehicle's firmware. This finding suggests upcoming changes in Tesla's vehicle lineup, sparking interest among Tesla enthusiasts and the automotive industry. Source: InsideEVs.
2. Active Exploitation of Critical Vulnerability in Langflow: Security researchers have identified an active campaign exploiting a critical vulnerability (CVE-2025-3248) in Langflow. This vulnerability is being used to launch attacks, highlighting the need for immediate attention and patching to protect systems from potential breaches. Source: Cyber Security Agency of Singapore.
3. Ransomware Thrives in Shook-Up Criminal Underworld: Symantec's threat-hunting team reports that ransomware continues to thrive amid changes in the criminal underworld. The report emphasizes the evolving tactics of cybercriminals and the persistent threat ransomware poses to organizations worldwide. Source: BankInfoSecurity.
4. 40,000 Cameras, From Bird Feeders to Baby Monitors, Exposed to the Internet: A recent report reveals that approximately 40,000 cameras, including bird feeders and baby monitors, are exposed to the internet. This exposure poses significant privacy and security risks, underscoring the importance of securing IoT devices. Source: 404 Media.
5. Zero-Click Microsoft Copilot Vuln Underscores Emerging AI Security Risks: Aim Labs discovered a "zero-click" vulnerability in Microsoft Copilot, named EchoLeak, which could allow attackers to exploit AI systems without user interaction. This finding highlights the emerging security risks associated with AI technologies and the need for robust security measures. Source: AIwire.

Top CVEs

1. CVE-2025-23121: A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user has been identified. This flaw could potentially allow attackers to execute arbitrary code, posing a significant risk to affected systems. Source.
2. CVE-2025-44951: A missing length check in the ogs_pfcp_dev_add function from the PFCP library, used in open5gs 2.7.2 and earlier, allows a local attacker to cause a Buffer Overflow. This vulnerability can be exploited by altering the session.dev field with a value exceeding the expected length. Source.
3. CVE-2025-1088: Grafana has an Improper Input Validation vulnerability where an excessively long dashboard title or panel name can cause Chromium browsers to become unresponsive. This issue affects versions before 11.6.2 and has been addressed in the latest update. Source.
4. CVE-2025-6191: An integer overflow in V8 in Google Chrome prior to version 137.0.7151.119 allows a remote attacker to potentially perform out-of-bounds memory access via a crafted HTML page. This vulnerability poses a significant security risk due to the potential for memory corruption. Source.
5. CVE-2025-29646: An issue in the upf component of open5gs 2.7.2 and earlier allows a remote attacker to cause a Denial of Service via a crafted PFCP SessionEstablishmentRequest packet. This vulnerability can disrupt service availability, making it a critical concern for affected deployments. Source.

API Security

1. urllib3 does not control redirects in browsers and Node.js: urllib3, a popular HTTP client library for Python, has a vulnerability where it fails to control redirects in browsers and Node.js environments. This issue arises when using urllib3 in a Pyodide runtime, which relies on the JavaScript Fetch API or XMLHttpRequest. The vulnerability can lead to potential exploitation of SSRF vulnerabilities, as the library's redirect control mechanisms are ignored, leaving applications vulnerable if they rely on urllib3 to mitigate such risks. Source: Vulners
2. CVE-2025-38062: A vulnerability in the Linux kernel related to the handling of IOMMU IOVA in MSI descriptors has been resolved. The issue involved a two-step process for IOMMU translation, which had a potential lifetime problem for the pointer stored in the cookie. This could allow userspace to race conditions, potentially leading to security risks. The fix involves storing the IOMMU IOVA directly in the MSI descriptor, enhancing the security of the kernel's interrupt handling. Source: Vulners
3. CVE-2025-1562: The FunnelKit plugin for WordPress, used for WooCommerce cart abandonment recovery and marketing automation, is vulnerable to unauthorized arbitrary plugin installation. This is due to a missing capability check and a weak nonce hash, allowing unauthenticated attackers to install arbitrary plugins on affected sites. This vulnerability could be leveraged to further compromise vulnerable WordPress installations. Source: Vulners
4. Exploit for Prototype Pollution in Salesforce Tough-Cookie: CVE-2023-26136 is a critical prototype pollution vulnerability in tough-cookie versions before 4.1.3. The vulnerability allows attackers to inject properties into the Object.prototype through maliciously crafted cookie domains. The fix involves replacing object initialization with Object.create(null), preventing prototype pollution by creating objects without a prototype chain. This change isolates cookie storage from unintended inheritance, enhancing security. Source: Vulners
5. CVE-2025-50182: urllib3, a widely used Python HTTP client library, had a vulnerability where it did not control redirects in browsers and Node.js environments. This issue was particularly problematic in Pyodide runtimes, where the library's redirect control mechanisms were ignored, potentially leading to SSRF vulnerabilities. The issue has been patched in the latest version of urllib3, ensuring better security for applications relying on this library. Source: Vulners

Sponsored by Wallarm API Security Solution

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the world of cybersecurity is as dynamic and challenging as ever. From the San Diego Police Department's early data breach concerns to the unsettling ransomware attack on UBS, each story serves as a reminder of the persistent threats we face. The T-Mobile settlement checks arriving in mailboxes and the ongoing lawsuits against Belk highlight the long-lasting impacts of data breaches on both companies and individuals.

Meanwhile, the discovery of a potential six-seat Tesla Model Y and the active exploitation of vulnerabilities in Langflow and Microsoft Copilot underscore the ever-evolving landscape of technology and its associated risks. The exposure of thousands of cameras to the internet and the thriving ransomware scene further emphasize the need for vigilance and proactive measures.

In the realm of vulnerabilities, from CVE-2025-23121's remote code execution risk to the prototype pollution in Salesforce's tough-cookie, each issue demands our attention and swift action to safeguard our systems. The recent patches and updates serve as a testament to the ongoing efforts to fortify our defenses against these threats.

We hope you found today's insights valuable and thought-provoking. If you did, please consider sharing this newsletter with your friends and colleagues. Together, we can build a more informed and resilient community, ready to tackle the cybersecurity challenges of tomorrow.

Stay safe, stay informed, and see you in the next edition of Secret CISO!