Welcome to today's edition of Secret CISO, where we unravel the intricate web of cybersecurity challenges and breakthroughs. In a world where data breaches are becoming alarmingly common, today's issue delves into a series of high-profile incidents that underscore the fragility of our digital defenses.

We begin with the Qantas data breach, a stark reminder of the vulnerabilities lurking in third-party systems, affecting millions of customers. Meanwhile, the Medicare breach highlights the ongoing battle to protect sensitive health information, as unauthorized accounts threaten the privacy of thousands.

In the realm of academia, Columbia University grapples with a breach of applicant data, while Clark County faces legal action over alleged mishandling of private information. These incidents serve as a wake-up call for institutions to bolster their cybersecurity measures.

On the technological front, ESET's report on Advanced Persistent Threats reveals the evolving tactics of cyber adversaries, while a critical zero-day vulnerability in Chrome poses an immediate threat to users worldwide. Additionally, vulnerabilities in Anthropic's MCP and Adobe Experience Manager remind us of the constant need for vigilance in software security.

Amidst these challenges, we celebrate the rising star of cybersecurity, Dylan, a 13-year-old prodigy making waves at the Microsoft Security Response Center. His story is a beacon of hope, illustrating the importance of nurturing young talent in the fight against cybercrime.

Finally, we explore a series of critical vulnerabilities, from HPE Insight Remote Support to WordPress plugins, each presenting unique risks and urging swift action to safeguard systems. As we navigate this complex landscape, today's issue of Secret CISO is your guide to understanding and addressing the cybersecurity threats of our time.

Data Breaches

1. Qantas Data Breach: Up to six million Qantas customers have been affected by a significant data breach. The breach occurred at a third-party contact center, compromising personal information, though credit card and financial details remain secure. The airline is working to contain the breach and has notified relevant authorities. Source: The Canberra Times, The Annapurna Express, Flight Global, BBC, The Guardian, SBS News, ABC News, RNZ News, news.com.au, ABC News, Daily Mail
2. Medicare Data Breach: The Centers for Medicare & Medicaid Services reported a breach affecting approximately 103,000 beneficiaries. Unauthorized accounts were created using personal information, and notifications are being sent to those impacted. The agency is investigating the breach to prevent future incidents. Source: USA Today, Kiplinger, Healthcare Finance News
3. Clark County Data Breach: Residents have filed lawsuits against Clark County, alleging mishandling of private information in a recent data breach. The lawsuits claim breach of implied contract, negligence, and unjust enrichment, seeking judicial intervention to address the issue. Source: KIRO7, MyNorthwest.com
4. Columbia University Data Breach: Columbia University confirmed a data breach involving applicant personal data. The university has engaged cybersecurity firm CrowdStrike to assess the scope of the theft and bolster security measures to prevent future incidents. Source: Bloomberg
5. PowerSchool Data Breach: Following a data breach in 2024, Charlotte-Mecklenburg schools in North Carolina are transitioning to a new portal. The breach highlighted vulnerabilities in the existing system, prompting the move to enhance data security for students and staff. Source: QC News

Security Research

1. ESET APT Activity Report Q4 2024-Q1 2025: Malware sharing, data wiping and exploits: ESET's latest report highlights the evolving tactics of Advanced Persistent Threats (APTs), focusing on malware sharing, data wiping, and exploitation techniques. The report provides insights into how these threats are adapting and the implications for global cybersecurity. Source: WeLiveSecurity.
2. Zero‑Day in Chrome Being Actively Exploited for Remote Code Execution: A critical zero-day vulnerability in Google Chrome is being actively exploited, allowing attackers to execute remote code. Security researchers are urged to report vulnerabilities using Chromium's bug tracker to help mitigate the threat. Source: Cyber Press.
3. Critical Vulnerability in Anthropic's MCP Exposes Developer Machines to Remote Exploits: A severe security flaw in Anthropic's Model Context Processor (MCP) has been discovered, potentially exposing developer machines to remote exploits. This vulnerability underscores the importance of robust security measures in AI development environments. Source: The Hacker News.
4. Searchlight Cyber Finds Three Cross-Site Scripting Vulnerabilities in Adobe Experience Manager: Searchlight Cyber has identified three cross-site scripting vulnerabilities in Adobe Experience Manager, which could allow attackers to inject malicious scripts. This discovery highlights the need for continuous security research to protect digital infrastructures. Source: CBS4Indy.
5. Rising star: Meet Dylan, MSRC's youngest security researcher: At just 13 years old, Dylan has become the youngest security researcher to collaborate with the Microsoft Security Response Center (MSRC). His contributions demonstrate the growing importance of nurturing young talent in the cybersecurity field. Source: MSRC Blog.

Top CVEs

1. CVE-2025-37099: A remote code execution vulnerability exists in HPE Insight Remote Support (IRS) prior to a certain version. This flaw allows attackers to execute arbitrary code remotely, potentially compromising the system's integrity and confidentiality. Organizations using this software should update to the latest version to mitigate this risk. Source: Vulners.
2. CVE-2025-36630: In Tenable Nessus versions prior to 10.8.5 on Windows, a non-administrative user can overwrite arbitrary local system files with log content at SYSTEM privileges. This vulnerability could be exploited to escalate privileges and compromise system security. Users are advised to update to the latest version to address this issue. Source: Vulners.
3. CVE-2025-34060: A PHP object injection vulnerability in Monero Project’s Laravel-based forum software allows attackers to bypass MIME type checks and access internal configuration files. This can lead to remote code execution by extracting sensitive data like the APP_KEY. Users should apply patches to secure their systems. Source: Vulners.
4. CVE-2025-6463: The Forminator Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation. This flaw can be exploited by unauthenticated attackers to delete critical files, potentially leading to remote code execution. Updating to a secure version is recommended to prevent exploitation. Source: Vulners.
5. CVE-2025-41656: An unauthenticated remote attacker can execute arbitrary commands on affected devices due to improper authentication configuration in the Node_RED server. This vulnerability poses a significant risk as it allows high-privilege command execution. Users should ensure proper authentication settings are in place to mitigate this threat. Source: Vulners.

API Security

1. Unauthorized Access in Soumettre.fr Plugin: The Soumettre.fr plugin for WordPress is vulnerable to unauthorized access and modification of data due to improper authorization checks on the make_signature function. This vulnerability allows unauthenticated attackers to create, edit, or delete Soumettre posts, affecting installations where the soumettre account is not connected. Source: Vulners.
2. Incorrect Access Control in linjiashop: Linjiashop versions up to 0.9 are vulnerable to incorrect access control, allowing attackers to bypass authentication and retrieve encrypted passwords and salts. This vulnerability can be exploited through brute-force attacks on the default-generated JWT authentication. Source: Vulners.
3. Sensitive Information Exposure in GitHub Enterprise Server: A vulnerability in GitHub Enterprise Server could allow attackers to disclose the names of private repositories within an organization. This issue can be exploited via the Search API endpoint using a user-to-server token with no scopes, impacting only version 3.17. Source: Vulners.
4. Race Condition in Sentry OAuth: Sentry, a developer-first error tracking tool, had a vulnerability allowing attackers with a malicious OAuth application to maintain persistence to a user's account through a race condition. This issue was patched in version 25.5.0, and self-hosted users are advised to upgrade. Source: Vulners.
5. Cloud Infrastructure Misconfiguration in OneLogin: A misconfiguration in OneLogin AD Connector results in log data being sent to a hardcoded S3 bucket without validating ownership. An attacker could register this unclaimed bucket to receive sensitive log files from other tenants, potentially leading to JWT signing key recovery. Source: Vulners.

Sponsored by Wallarm API Security Solution

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the cybersecurity landscape is as dynamic as ever. From the massive data breach affecting millions of Qantas customers to the vulnerabilities discovered in widely-used software, the challenges we face are both complex and evolving. Each story we covered today underscores the critical importance of staying informed and vigilant in our digital world.

Whether it's the inspiring story of young Dylan making waves in cybersecurity or the urgent need to patch vulnerabilities in systems like HPE Insight Remote Support, these narratives remind us that cybersecurity is a shared responsibility. It's about protecting not just our own data, but also the broader digital ecosystem we all rely on.

If you found today's insights valuable, please consider sharing this newsletter with your friends and colleagues. Together, we can build a more secure digital future by spreading awareness and fostering a community that prioritizes cybersecurity.

Thank you for being a part of the Secret CISO community. Stay safe, stay informed, and we'll see you in the next edition!