Welcome to today's issue of Secret CISO, your daily digest of the most impactful cybersecurity news. Today, we're diving into a series of data breaches, exploring the latest research in cybersecurity, and highlighting the most recent vulnerabilities you should be aware of.

Starting with data breaches, Coinbase is facing criticism for delaying the disclosure of a data breach that occurred back in January 2025. Akeela Inc. has agreed to a settlement following a class action lawsuit over a similar delay in breach notification. Luxury jewelry company Cartier and sportswear giant Adidas have also experienced data breaches, with the latter resulting from a third-party customer service provider being hacked. Meanwhile, nearly 19,000 residents of Maine have been affected by an undisclosed data breach.

Moving on to research, HPE has released a security patch for a vulnerability in its StoreOnce systems, which could allow remote authentication bypass. A report by Fastly warns of a surge in bot attacks targeting the commerce sector. A study conducted by CISPA researcher Sumair Hashmi and his team investigates the cybersecurity practices of individuals with low socioeconomic status in Pakistan. Bitdefender's team of security researchers found that 84% of severe cyber incidents utilize Living Off the Land (LOTL) techniques. Lastly, security researchers have found that Meta and Yandex have found ways to bypass Android privacy protections.

Turning to vulnerabilities, IBM QRadar Suite Software, Audiocodes Mediapack MP-11x, JEHC-BPM v2.0.1, Auth0-PHP SDK, and Hibernate Validator have all been found to have vulnerabilities that could allow unauthorized actions, access to sensitive information, or execution of arbitrary code. IdeaCMS, ChestnutCMS, DataEase, enilu web-flash 1.0, and Umbraco CMS also have critical vulnerabilities that need to be addressed.

Stay safe, stay informed, and we'll see you in tomorrow's issue of Secret CISO.

Data Breaches

1. Coinbase Faces Backlash For Delaying Data Breach Disclosure: Coinbase is under fire for allegedly delaying the disclosure of a data breach that occurred in January 2025. Critics argue that the delay may have put users' data at risk. Source: Bitcoinist.com
2. Akeela Inc. Agrees Settlement to Resolve Class Action Data Breach Litigation: Akeela Inc. has agreed to a settlement following a class action lawsuit over a data breach. The lawsuit claimed that the delay in notifying affected individuals about the breach caused further harm. Source: HIPAA Journal
3. All the customer data stolen in Cartier cyber attack: Luxury jewelry company Cartier has experienced a data breach, with hackers stealing limited client information. The company has notified affected customers. Source: The Independent
4. Nearly 19-thousand Mainers have been affected by a data breach: A recent data breach has affected nearly 19,000 residents of Maine, according to a filing with the Maine Attorney General's Office. The specifics of the breach have not been disclosed. Source: Fox23Maine
5. Data Breach at Adidas Exposes Customer Contact Details: Sportswear giant Adidas has disclosed a data breach after a third-party customer service provider was hacked. Customers are advised to be on high alert for potential phishing attempts. Source: PCMag

Security Research

1. HPE Issues Security Patch for StoreOnce Bug Allowing Remote Authentication Bypass: HPE has released a security patch to address a vulnerability in its StoreOnce systems, which could allow remote authentication bypass. The flaw was discovered and reported by an anonymous researcher via the Zero Day Initiative (ZDI). Source: The Hacker News
2. Commerce sector faces surge in bot attacks, Fastly report warns: A report by Fastly warns of a surge in bot attacks targeting the commerce sector. Fastly's Staff Security Researcher, Simran Khalsa, emphasized the importance of understanding bot traffic for online businesses. Source: ChannelLife New Zealand
3. Investigating cybersecurity practices of people with low socioeconomic status in Pakistan: CISPA researcher Sumair Hashmi and his team have conducted a study into the cybersecurity practices of individuals with low socioeconomic status in Pakistan. The research suggests that future studies should focus on how security advisories can be made more accessible to this demographic. Source: Science X
4. Study finds 84% of severe cyber incidents use LOTL methods: A study conducted by Bitdefender's team of security researchers found that 84% of severe cyber incidents utilize Living Off the Land (LOTL) techniques. The research was conducted as part of the development of GravityZone Proactive. Source: SecurityBrief Asia
5. Researchers: Meta and Yandex Broke Android Privacy: Security researchers have found that social media giants Meta and Yandex have found ways to bypass privacy protections enabled by Android users. The methods used by the companies have raised concerns about user privacy. Source: Bank Info Security

Top CVEs

1. CVE-2025-25022: IBM QRadar Suite Software and IBM Cloud Pak for Security have a vulnerability that could allow an unauthenticated user to obtain highly sensitive information. Users are advised to update their software to the latest version to mitigate this risk. Source: CVE-2025-25022
2. CVE-2025-32106: Audiocodes Mediapack MP-11x has a vulnerability that could allow an unauthenticated remote user to execute unauthorized actions through a crafted POST request. Users are advised to update to the latest version to mitigate this risk. Source: CVE-2025-32106
3. CVE-2025-45854: JEHC-BPM v2.0.1 has an arbitrary file upload vulnerability that allows attackers to execute arbitrary code via uploading a crafted file. Users are advised to update to the latest version to mitigate this risk. Source: CVE-2025-45854
4. CVE-2025-48951: Auth0-PHP SDK has a vulnerability due to insecure deserialization of cookie data. This could allow a threat actor to send a specially crafted cookie containing malicious serialized data. Users are advised to update to the latest version to mitigate this risk. Source: CVE-2025-48951
5. CVE-2025-35036: Hibernate Validator has a vulnerability that could allow an attacker to access sensitive information or execute arbitrary Java code. Users are advised to update to the latest version to mitigate this risk. Source: CVE-2025-35036

API Security

1. CVE-2025-5569 - IdeaCMS up to 1.7 Vulnerability: A critical vulnerability was found in IdeaCMS up to version 1.7, affecting the function Article/Goods of the file /api/v1.index.article/getList.html. The issue, which can be exploited remotely, leads to SQL injection. Upgrading to version 1.8 addresses this issue. Source: CVE-2025-5569
2. CVE-2025-5552 - ChestnutCMS up to 15.1 Vulnerability: A critical vulnerability was found in ChestnutCMS up to version 15.1, affecting an unknown code of the file /dev-api/groovy/exec of the component API Endpoint. The issue, which can be exploited remotely, leads to deserialization. Source: CVE-2025-5552
3. CVE-2025-49001 - DataEase Open Source Vulnerability: DataEase, an open-source business intelligence and data visualization tool, had a vulnerability where secret verification did not take effect successfully, allowing a user to forge a JWT token. This issue has been fixed in version 2.10.10. Source: CVE-2025-49001
4. CVE-2025-5523 - enilu web-flash 1.0 Vulnerability: A problematic vulnerability was found in enilu web-flash 1.0, affecting the function fileService.upload of the file src/main/java/cn/enilu/flash/api/controller/FileController/upload of the component File Upload. The issue, which can be exploited remotely, leads to cross-site scripting. Source: CVE-2025-5523
5. CVE-2025-48953 - Umbraco CMS Vulnerability: Umbraco, an ASP.NET content management system, had a vulnerability where it was possible to upload a file that doesn't adhere to the configured allowable file extensions via a manipulated API request. This issue has been patched in versions 15.4.2 and 16.0.0. Source: CVE-2025-48953

Sponsored by Wallarm API Security Solution

Final Words

That's it for today's edition of Secret CISO. From the backlash faced by Coinbase for delaying data breach disclosure to the surge in bot attacks in the commerce sector, it's clear that cybersecurity is a critical concern for all businesses. We hope this information helps you stay ahead of potential threats and vulnerabilities.

Remember, the world of cybersecurity is constantly evolving. The more we share knowledge and stay informed, the better equipped we are to protect our digital assets. So, if you found today's newsletter helpful, please consider sharing it with your friends and colleagues. They might find it useful too.

Stay safe, stay informed, and keep an eye out for tomorrow's edition of Secret CISO. We'll be back with more updates from the world of cybersecurity. Until then, remember - knowledge is the best defense.