Welcome to today's edition of Secret CISO, where we unravel the intricate web of cybersecurity breaches and vulnerabilities that have surfaced across the globe. In this issue, we delve into a series of alarming incidents that underscore the critical importance of robust security measures in our increasingly digital world.

Our journey begins with a startling revelation from McDonald's, where a simple password flaw in their AI recruitment bot exposed the personal data of 64 million job applicants. This breach serves as a stark reminder of the vulnerabilities inherent in AI-driven processes. Meanwhile, the skies aren't safe either, as both T.F. Green International Airport and Qantas grapple with data breaches affecting travelers and customers alike, highlighting the aviation industry's ongoing battle with cyber threats.

Luxury isn't immune to cyberattacks, as Louis Vuitton faces a significant data breach in Türkiye, exposing the personal information of over 140,000 users. This incident echoes the broader challenges luxury brands encounter in safeguarding customer data. In the financial sector, Prudential Financial's $4.75 million settlement following a data breach underscores the financial repercussions of inadequate data protection.

On the technological front, a critical vulnerability in Wing FTP Server was exploited within hours of its disclosure, while PerfektBlue Bluetooth vulnerabilities threaten millions of vehicles with remote code execution. These incidents highlight the pervasive risks associated with software vulnerabilities and the urgent need for timely patching and updates.

As we navigate through these stories, we also uncover a series of critical vulnerabilities affecting popular platforms like Microsoft Edge, Citrix NetScaler, and WordPress plugins, each posing unique threats to user security. From path traversal exploits in open-source projects to cache deception vulnerabilities in CDN systems, today's issue is a testament to the diverse and evolving landscape of cybersecurity challenges.

Stay informed and vigilant as we continue to explore these pressing issues, providing insights and guidance to help you fortify your defenses in an ever-changing digital environment.

Data Breaches

1. How McDonald's AI Bot Exposed Millions of Peoples' Data: A McDonald's data breach exposed the personal information of 64 million job applicants due to a weak password in Paradox.ai's AI system. This incident highlights the vulnerabilities in AI-driven recruitment processes and the need for robust security measures. Source: AI Magazine, News.com.au
2. RI Airport Corporation: Data breach impacted TF Green travelers: The parent company of T.F. Green International Airport reported a data breach affecting dozens of travelers. The breach occurred in early May, compromising sensitive traveler information. Source: WPRI.com
3. Louis Vuitton hit by data breach in Türkiye, over 140,000 users exposed: Louis Vuitton experienced a data breach in Türkiye, exposing the personal data of over 140,000 users. This incident underscores the ongoing challenges luxury brands face in protecting customer data. Source: DataBreaches.Net, Techzine Global, The Guardian, WWD
4. Qantas Updates Cyberattack, Experts Counsel Data Safety Plan: Qantas confirmed that the data of 5.7 million unique customers was compromised in a recent cyberattack. The breach has prompted experts to advise on enhanced data safety measures for the airline industry. Source: Business Travel News
5. Prudential Financial $4.75M Data Breach Settlement: Prudential Financial reached a $4.75 million settlement following a data breach in February 2024. Affected consumers may qualify for a cash payment as part of the class action settlement. Source: Claim Depot

Security Research

1. 10/10 Wing FTP bug exploited within hours, cyber pros say: Security researchers from Huntress observed the exploitation of a critical CVSS 10.0 remote code execution (RCE) flaw in Wing FTP Server just one day after its disclosure. This vulnerability allows attackers to execute arbitrary code on affected systems, posing a significant threat to organizations using this software. Source: The Register.
2. PerfektBlue Bluetooth Vulnerabilities Expose Millions of Vehicles to Remote Code Execution: Researchers have identified four critical security flaws in OpenSynergy's BlueSDK Bluetooth stack, which could allow attackers to execute remote code on millions of vehicles. This vulnerability affects a wide range of automotive systems, raising concerns about the safety and security of connected vehicles. Source: The Hacker News.
3. '123456' password exposed chats for 64 million McDonald's job applicants: A vulnerability in McDonald's McHire chatbot platform exposed the chats of over 64 million job applicants. The flaw was due to the use of a weak password, "123456," highlighting the importance of robust password policies in protecting sensitive data. Source: Bleeping Computer.
4. 'Critical' Citrix NetScaler Vulnerability Now Seeing Exploitation: A critical vulnerability in Citrix NetScaler is being actively exploited, prompting CISA to order federal agencies to implement fixes. This vulnerability affects systems configured as Gateway (VPN virtual servers), posing a significant risk to secure communications. Source: CRN.
5. 350M Cars, 1B Devices Exposed to 1-Click Bluetooth RCE: A vulnerability in Bluetooth technology exposes 350 million cars and 1 billion devices to potential remote code execution attacks. This flaw affects a wide range of industries, including automotive, medical, and consumer electronics, underscoring the pervasive risk of Bluetooth vulnerabilities. Source: Dark Reading.

Top CVEs

1. CVE-2025-47963: Microsoft Edge (Chromium-based) Spoofing Vulnerability. This vulnerability allows an unauthorized attacker to perform spoofing attacks, potentially misleading users and compromising their security. The lack of a CWE classification indicates a unique issue within the browser's handling of certain web elements. Source: Vulners.
2. CVE-2025-47182: Microsoft Edge Improper Input Validation. This flaw allows an authorized attacker to bypass a critical security feature due to improper input validation. Such vulnerabilities can lead to unauthorized access or privilege escalation, posing significant risks to users. Source: Vulners.
3. CVE-2023-38036: Ivanti Avalanche Manager Buffer Overflow. A vulnerability in Ivanti Avalanche Manager before version 6.4.1 allows an unauthenticated attacker to create a buffer overflow, potentially leading to service disruption or arbitrary code execution. This could severely impact system availability and integrity. Source: Vulners.
4. CVE-2025-50121: OS Command Injection Vulnerability. This vulnerability involves improper neutralization of special elements used in OS commands, allowing unauthenticated remote code execution when a malicious folder is created over the web interface. This poses a significant threat to system security. Source: Vulners.
5. CVE-2025-5392: WordPress GB Forms DB Plugin Remote Code Execution. The GB Forms DB plugin for WordPress is vulnerable to remote code execution due to improper handling of user input. This allows unauthenticated attackers to execute code on the server, potentially leading to backdoor installation or unauthorized administrative access. Source: Vulners.

API Security

1. CVE-2025-7452: A critical vulnerability was discovered in kone-net go-chat, affecting the GetFile function in the file_controller.go component. This path traversal vulnerability can be exploited remotely, potentially allowing unauthorized access to sensitive files. The exploit has been publicly disclosed, raising the risk of malicious use. Source: Vulners.
2. CVE-2025-7450: A critical path traversal vulnerability was found in letseeqiji gorobbs, specifically in the ResetUserAvatar function. This flaw allows remote attackers to manipulate the filename argument, potentially leading to unauthorized file access. The vulnerability has been publicly disclosed, increasing the urgency for remediation. Source: Vulners.
3. CVE-2025-43856: Immich, a self-hosted photo and video management solution, is vulnerable to account hijacking due to improper handling of the oauth2 state parameter. This flaw allows attackers to link victim accounts to their own oauth credentials, potentially compromising user data. The vulnerability has been addressed in recent updates. Source: Vulners.
4. Better Call routing bug can lead to Cache Deception: A cache deception vulnerability was identified in systems using CDN caching with Better Call. This flaw can expose sensitive user data by serving cached responses to unauthorized users, due to insufficient path sanitization. The issue highlights the need for robust cache management practices. Source: Vulners.
5. CVE-2025-53862: A flaw in Ansible exposes three API endpoints to unauthenticated access, potentially leaking sensitive data. This vulnerability underscores the importance of securing API endpoints to prevent unauthorized data exposure. Organizations using Ansible should apply necessary patches to mitigate this risk. Source: Vulners.

Sponsored by Wallarm API Security Solution

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the digital landscape is fraught with challenges and opportunities for learning. From McDonald's AI bot mishap to the vulnerabilities in Bluetooth technology affecting millions of vehicles, each story serves as a crucial reminder of the importance of robust cybersecurity measures. Whether it's a luxury brand like Louis Vuitton or a major airline like Qantas, no organization is immune to the threats posed by cyberattacks.

These incidents underscore the need for constant vigilance and proactive strategies to safeguard sensitive information. As we navigate this complex terrain, sharing knowledge and insights becomes more important than ever. By staying informed and prepared, we can better protect our digital assets and maintain trust with our customers and stakeholders.

If you found today's newsletter insightful, don't keep it a secret! Share it with your friends and colleagues who might benefit from staying updated on the latest cybersecurity news and trends. Together, we can build a stronger, more secure digital future.

Thank you for joining us today. Stay safe, stay informed, and see you in the next edition of Secret CISO!