Welcome to today's edition of Secret CISO, where we unravel the tangled web of cybersecurity breaches and vulnerabilities that have surfaced across the globe. As we dive into the stories of the day, a common thread emerges: the relentless pursuit of sensitive data by cybercriminals and the vulnerabilities that leave organizations exposed.

In the healthcare sector, Ontario Health atHome's recent data breach has put the personal health information of over 200,000 patients at risk, while PowerSchool's breach has compromised the data of countless children, prompting urgent protective measures. Meanwhile, the US Federal Bureau of Prisons faces allegations of a breach that could have far-reaching implications for security and privacy.

As we shift focus to the corporate world, EmCentrix and Ahold Delhaize USA Services are grappling with breaches that threaten employee data, highlighting the critical need for robust data protection strategies. Simultaneously, misconfigured AI servers are opening doors to potential data exposure, and Iranian hackers are intensifying their cyber attacks on specific industries, underscoring the geopolitical dimensions of cybersecurity threats.

In the realm of vulnerabilities, the emergence of "CitrixBleed 2" and the AMD CPU ROM microcode patch loader flaw signal urgent calls for patching and vigilance. The transportation sector is also on high alert as a notorious cybercrime gang shifts its focus to airlines, while AI agents inadvertently create insider threat blind spots within organizations.

Finally, a series of critical vulnerabilities, from path traversal attacks in gooaclok819 to command injection flaws in xiaoyunjie's openvpn-cms-flask, remind us of the ever-present need for timely updates and security patches. As these stories unfold, they weave a narrative of the ongoing battle between cybersecurity defenders and the ever-evolving tactics of cyber adversaries.

Stay informed, stay secure, and join us as we continue to navigate the complex landscape of cybersecurity challenges.

Data Breaches

1. Ontario Health atHome Data Breach: Ontario Health atHome experienced a data breach affecting at least 200,000 patients, with personal health information potentially compromised. The breach, which occurred in mid-March, was not publicly disclosed until recently, prompting an investigation by Ontario's privacy commissioner. Source.
2. PowerSchool Data Breach: PowerSchool suffered a significant data breach earlier this year, leaking thousands of children's information. In response, the company is offering free credit monitoring and identity protection services to those affected. Source.
3. Federal Bureau of Prisons Alleged Breach: Hackers claim to have accessed data from the US Federal Bureau of Prisons, including release plans, security points, and personal information. The Bureau is currently investigating the alleged breach. Source.
4. EmCentrix Data Breach Investigation: Edelson Lechtzin LLP is investigating claims related to a data breach involving EmCentrix. The breach may have exposed personal information, including names and Social Security numbers, prompting concerns about identity theft and fraud. Source.
5. Ahold Delhaize USA Services Data Breach: Ahold Delhaize USA Services announced a data breach that compromised personal information of employees and former employees. The company is urging affected individuals to remain vigilant in protecting their personal data. Source.

Security Research

1. Misconfigured AI Servers and Weak Configurations Expose Data, Systems: Researchers at Backslash Security have discovered that over 15,000 MCP servers, despite being a relatively new protocol, are already deployed globally. These servers are misconfigured, leading to potential data exposure and system vulnerabilities. Source.
2. Iranian Hackers Targeting Specific Industries for Cyber Attacks: As geopolitical tensions rise, Iranian hackers are increasingly targeting specific industries for cyber attacks. This escalation highlights the need for heightened cybersecurity measures in vulnerable sectors. Source.
3. AI Agents Are Creating Insider Security Threat Blind Spots: Research from BeyondID indicates that AI agents are being allowed to access sensitive data and systems, creating potential insider threat blind spots. This calls for improved safeguards and monitoring of AI activities within organizations. Source.
4. Prolific Cybercrime Gang Now Targeting Airlines and the Transportation Sector: Google's Mandiant and Palo Alto Networks' Unit 42 have observed a cybercrime gang shifting focus to airlines and transportation, signaling a new wave of targeted attacks in these industries. Source.
5. 'CitrixBleed 2' Shows Signs of Active Exploitation: A new vulnerability, dubbed "CitrixBleed 2," is actively being exploited, posing significant risks to systems using Citrix technologies. This vulnerability shares similarities with a previous exploit, necessitating immediate attention and patching. Source.

Top CVEs

1. AMD CPU ROM Microcode Patch Loader Vulnerability (CVE-2024-36347): Improper signature verification in the AMD CPU ROM microcode patch loader could allow an attacker with local administrator privileges to load malicious microcode. This vulnerability may lead to a loss of integrity in x86 instruction execution and compromise the confidentiality and integrity of data in the x86 CPU privileged context. Source: Vulners.
2. Dover Fueling Solutions ProGauge MagLink LX Consoles Vulnerability (CVE-2025-5310): An undocumented and unauthenticated target communication framework (TCF) interface is exposed on a specific port in Dover Fueling Solutions ProGauge MagLink LX Consoles. This allows files to be created, deleted, or modified, potentially leading to remote code execution. Source: Vulners.
3. Nix, Lix, and Guix Package Managers Race Condition (CVE-2025-46415): A race condition in the Nix, Lix, and Guix package managers allows the removal of content from arbitrary folders. This affects multiple versions of these package managers, posing a significant risk to system integrity. Source: Vulners.
4. HaruTheme Drag and Drop Multiple File Upload Vulnerability (CVE-2025-49885): The unrestricted upload of files with dangerous types in the HaruTheme Drag and Drop Multiple File Upload (Pro) for WooCommerce allows attackers to upload a web shell to a web server. This vulnerability affects various versions of the plugin, posing a threat to web server security. Source: Vulners.

API Security

1. CVE-2025-6774: A critical vulnerability in gooaclok819 sublinkX up to version 1.8 allows remote path traversal attacks through the manipulation of the filename argument in the AddTemp function. The exploit has been publicly disclosed, and upgrading to version 1.9 is recommended to mitigate this issue. Source: Vulners.
2. CVE-2025-6775: A critical command injection vulnerability affects xiaoyunjie openvpn-cms-flask up to version 1.2.7, specifically in the User Creation Endpoint. The flaw allows remote attackers to manipulate the Username argument, leading to command injection. Upgrading to version 1.2.8 is advised to address this vulnerability. Source: Vulners.
3. CVE-2025-53094: ESPAsyncWebServer, an HTTP and WebSocket server library, has a CRLF injection vulnerability in versions up to 3.7.8. Unsanitized input can lead to arbitrary HTTP header manipulation, posing a high-severity risk. A fix is available and expected in future releases. Source: Vulners.
4. CVE-2025-6772: A critical path traversal vulnerability in eosphoros-ai db-gpt up to version 0.7.2 affects the import_flow function. This flaw allows remote attacks through the manipulation of the File argument. The exploit has been publicly disclosed. Source: Vulners.
5. CVE-2025-6773: HKUDS LightRAG up to version 1.3.8 has a critical path traversal vulnerability in the upload_to_input_dir function. This vulnerability can be exploited locally by manipulating the file.filename argument. Applying the available patch is recommended. Source: Vulners.

Sponsored by Wallarm API Security Solution

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the digital landscape is as dynamic as ever. From the unsettling data breaches affecting healthcare and educational institutions to the vulnerabilities lurking within AI systems and software, the need for robust cybersecurity measures has never been more pressing.

Each story we shared today underscores the importance of vigilance and proactive defense strategies. Whether it's the personal data of patients in Ontario, the sensitive information of children in PowerSchool, or the critical vulnerabilities in widely-used technologies, these incidents remind us that cybersecurity is a shared responsibility.

We encourage you to stay informed and take action to protect your digital assets. If you found today's insights valuable, please consider sharing this newsletter with your friends and colleagues. Together, we can build a more secure digital world, one informed reader at a time.

Thank you for being a part of our community. Until next time, stay safe and stay secure!