Welcome to today's edition of Secret CISO, where we unravel the intricate web of cybersecurity challenges and breakthroughs. In this issue, we delve into a series of alarming data breaches and vulnerabilities that have shaken industries across the globe.

We begin with Flutter Entertainment, where a significant data breach has compromised the sensitive information of UK customers, raising questions about the robustness of their security measures. Meanwhile, Ballad Health and a Florida medical clinic grapple with breaches linked to third-party vendors and international cybercriminals, respectively, highlighting the pervasive threat landscape.

In the realm of cloud security, TalentHook's misconfiguration has exposed millions of job seekers' data, underscoring the critical need for vigilant cloud practices. On the legal front, Horizon Healthcare RCM faces potential class action lawsuits following a breach that has left personal and health information vulnerable.

Shifting focus to the Indian Ocean, a study reveals the crucial role of its fisheries in global nutritional security, juxtaposing the digital threats with the physical world's challenges. Meanwhile, the hacker group SafePay emerges with its unique negotiation tactics, capturing the attention of cybersecurity experts.

Our vulnerability roundup features critical flaws in FortiWeb, Filesystem MCP Servers, and malicious browser extensions affecting nearly a million users. These vulnerabilities emphasize the ongoing battle to secure digital infrastructures.

Finally, we explore a series of CVEs, from Wing FTP Server's remote code execution risk to Zoom's buffer overflow vulnerability, each presenting unique challenges and lessons for cybersecurity professionals.

Stay informed and vigilant as we navigate these complex security landscapes together.

Data Breaches

1. Flutter Entertainment investigates player data breach affecting UK customers: Flutter Entertainment is currently investigating a data breach that has impacted a significant number of its UK customers. The breach has raised concerns about the security measures in place to protect sensitive customer information. The company is working to determine the full extent of the breach and implement necessary security enhancements. Source: Esports Insider.
2. Ballad Health notifies public of data breach at third-party vendor Renkim: Ballad Health has informed the public about a data breach involving a third-party vendor, Renkim. The breach has raised alarms about the security protocols of third-party vendors handling sensitive health information. Ballad Health is taking steps to mitigate the impact and prevent future breaches. Source: The Coalfield Progress.
3. Florida medical clinic warns patients of data breach after Russian group claims responsibility: Florida Lung, Asthma and Sleep Specialists have alerted patients about a data breach potentially involving their personal information. A Russian group has claimed responsibility for the breach, prompting concerns about the security of patient data. The clinic is investigating the breach and enhancing its security measures. Source: WFTV.
4. The TalentHook Data Breach: How a Simple Cloud Misstep Exposed Millions of Job Seekers: A cloud misconfiguration at TalentHook has led to a data breach exposing the personal information of millions of job seekers. This incident highlights the critical importance of robust cloud security practices to protect sensitive data. TalentHook is addressing the breach and working to secure its systems. Source: LinkedIn.
5. Horizon Healthcare RCM Data Breach - Class Action Lawsuits: Horizon Healthcare RCM has experienced a data breach, prompting affected individuals to consider class action lawsuits. The breach has exposed sensitive personal and health information, raising significant privacy concerns. Legal actions are being explored to address the breach's impact and seek compensation for affected individuals. Source: Class Action.

Security Research

1. Indian Ocean fisheries play outsized role in nutritional security: A study by an international team of researchers highlights the significant role that Indian Ocean fisheries play in global nutrition and food security. The research emphasizes the importance of these fisheries in feeding the world and supporting economic stability in the region. Source: The University of Western Australia.
2. SafePay Is A 'Highly Specialized' Hacker Group With An Unusual Approach: Security researchers have identified SafePay as a unique hacker group known for its specialized tactics in negotiating with victims. This group stands out due to its unconventional methods, which have caught the attention of cybersecurity experts. Source: CRN.
3. CVE-2025-25257: Critical Unauthenticated SQL Injection Vulnerability in FortiWeb: A critical SQL injection vulnerability has been discovered in FortiWeb, allowing potential unauthorized access. This vulnerability was responsibly disclosed to Fortinet, highlighting the ongoing need for vigilance in web application security. Source: Arctic Wolf.
4. Critical mcp-remote Vulnerability Enables Remote Code Execution, Impacting Filesystem MCP Servers: Security researcher Elad Beber has identified a serious vulnerability in Filesystem MCP Servers, which could lead to remote code execution. This discovery underscores the importance of maintaining robust security measures in server environments. Source: The Hacker News.
5. Nearly a million browsers affected by more malicious browser extensions - here's what we know: Security researcher John Tuckner has warned about the significant security implications of malicious browser extensions affecting nearly a million users. This investigation highlights the ongoing threats posed by browser-based vulnerabilities. Source: TechRadar.

Top CVEs

1. CVE-2025-47812: In Wing FTP Server before 7.4.4, a mishandling of '\0' bytes in user and admin web interfaces allows for arbitrary Lua code injection into user session files. This vulnerability enables remote code execution, potentially leading to a total server compromise. Source: Vulners.
2. CVE-2025-49464: A classic buffer overflow in certain Zoom Clients for Windows could allow an authorized user to conduct a denial of service attack via network. This vulnerability highlights the importance of buffer management in software applications. Source: Vulners.
3. CVE-2025-4662: Brocade SANnav before SANnav 2.4.0a logs plaintext passphrases in audit logs, which are visible to the server admin of the host server. This vulnerability poses a risk of sensitive information exposure. Source: Vulners.
4. CVE-2025-52521: Trend Micro Security 17.8 (Consumer) is vulnerable to a local privilege escalation vulnerability, allowing a local attacker to unintentionally delete privileged Trend Micro files. This could lead to significant security risks for users. Source: Vulners.
5. CVE-2025-6236: The Hostel WordPress plugin before 1.1.5.9 does not properly sanitize and escape some settings, allowing high privilege users to perform Stored Cross-Site Scripting attacks. This vulnerability could be exploited even when the unfiltered_html capability is disallowed. Source: Vulners.

API Security

1. CVE-2025-53864: Connect2id Nimbus JOSE + JWT before version 10.0.2 is vulnerable to a denial of service attack due to uncontrolled recursion in deeply nested JSON objects within JWT claim sets. This vulnerability allows remote attackers to exploit the system by supplying a maliciously crafted JSON object. Source: Vulners.
2. CVE-2025-7021: OpenAI Operator SaaS on Web is susceptible to fullscreen API spoofing and UI redressing attacks. This vulnerability allows remote attackers to capture sensitive user inputs by displaying deceptive fullscreen interfaces with overlaid fake browser controls. Source: Vulners.
3. CVE-2025-34101: Serviio Media Server versions 1.4 through 1.8 on Windows have an unauthenticated command injection vulnerability in the /rest/action API endpoint. This flaw allows arbitrary command execution via unsanitized VIDEO parameters passed to cmd.exe. Source: Vulners.
4. CVE-2025-53549: The Matrix Rust SDK has an SQL injection vulnerability in the EventCache::find_event_with_relations method. This flaw allows malicious room members to execute arbitrary SQL commands in Matrix clients using the default sqlite-based store backend. Source: Vulners.
5. Parse Server exposes the data schema via GraphQL API: The Parse Server GraphQL API previously allowed public access to the schema without requiring a session token or master key, potentially expanding the attack surface. The issue has been addressed by requiring the master key for schema introspection. Source: GitHub.

Sponsored by Wallarm API Security Solution

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the digital landscape is constantly evolving, presenting both challenges and opportunities. From data breaches affecting major companies to vulnerabilities in widely-used software, the importance of staying informed and vigilant cannot be overstated. Each story we covered today underscores the critical need for robust security measures and proactive strategies to protect sensitive information.

Whether it's the alarming breaches at Flutter Entertainment and Ballad Health, the unique tactics of the SafePay hacker group, or the vulnerabilities in popular applications like FortiWeb and Zoom, these incidents serve as a reminder of the ever-present threats in our digital world. It's crucial for organizations and individuals alike to prioritize cybersecurity and remain aware of the latest developments.

We hope you found today's insights valuable and thought-provoking. If you did, please consider sharing this newsletter with your friends and colleagues. By spreading awareness and fostering a community of informed individuals, we can collectively enhance our defenses against cyber threats.

Thank you for joining us today. Stay safe, stay informed, and we'll see you in the next edition of Secret CISO!