Welcome to today's edition of Secret CISO, where we unravel a tapestry of cybersecurity incidents that have left a mark across industries and borders. From the opulent corridors of Louis Vuitton to the digital skies of Qantas, data breaches are shaking the foundations of trust and security.

In Australia, luxury meets vulnerability as Louis Vuitton and a major fashion giant face data breaches, exposing sensitive customer information. Meanwhile, Qantas grapples with a breach affecting millions, highlighting the aviation sector's growing cybersecurity challenges.

Across the Pacific, Compumedics USA Inc. and Genea IVF in Australia are under scrutiny as breaches expose personal and medical data, urging affected individuals to seek legal counsel and raising alarms about the protection of sensitive information.

On the tech frontier, Microsoft finds itself in the spotlight again with a SharePoint security flaw exploited by Chinese hackers, despite prior knowledge of the vulnerability. This revelation underscores the critical need for timely and effective patching in safeguarding digital infrastructures.

In a world where quantum computing looms on the horizon, researchers propose a quantum blockchain protocol promising robust post-quantum security. Meanwhile, Apple alerts Iranian users to spyware attacks, and Darktrace's acquisition of Mira Security aims to bridge the encryption gap.

As we delve into the vulnerabilities of today, from libssh to WordPress plugins, the importance of secure coding practices and comprehensive testing becomes ever more apparent. Join us as we navigate these stories, each a chapter in the ongoing saga of cybersecurity.

Data Breaches

1. Louis Vuitton Data Breach: Louis Vuitton, a high-end luxury brand, suffered a data breach in Australia, exposing customer details including passport numbers. The breach has raised significant concerns over the security of personal information among its clientele. Source: The Sydney Morning Herald
2. Compumedics Data Breach: Compumedics USA Inc. experienced a data breach that potentially compromised sensitive information such as names, birth dates, and Social Security numbers. The breach is under investigation, and affected individuals are being urged to seek legal counsel. Source: Morningstar
3. Microsoft SharePoint Security Breach: Microsoft confirmed a security breach where Chinese hackers exploited a flaw in SharePoint. The company has released patches to address the vulnerability, ensuring that cloud-based Microsoft 365 services remain unaffected. Source: GeekWire
4. Qantas Data Breach: A data breach at Qantas exposed the personal information of six million customers, prompting cybersecurity warnings for travelers. The incident highlights the increasing digital threats faced by the airline industry. Source: SecurityBrief Australia
5. Genea IVF Data Breach: Genea, a major IVF clinic in Australia, revealed a data breach on the dark web affecting thousands of patients. The breach has caused significant distress among those affected, raising concerns over the security of sensitive medical information. Source: news.com.au

Security Research

1. Microsoft Knew of SharePoint Security Flaw but Failed to Effectively Patch It: A recent investigation revealed that Microsoft was aware of a significant security flaw in SharePoint but did not effectively patch it, leaving systems vulnerable. The flaw's discovery earned the researcher a $100,000 reward. Source: Reuters
2. Quantum Blockchain Offers Potential Post-Quantum Security: Researchers have proposed a new quantum blockchain protocol that combines the security of time-entangled states with the scalability of hypergraph structures. This innovation could provide robust security in a post-quantum world. Source: Quantum Zeitgeist
3. Apple Alerted Iranians to iPhone Spyware Attacks: Apple has notified Iranian users about spyware attacks targeting iPhones, as reported by security researchers. The attacks are believed to be part of a broader campaign against dissidents. Source: TechCrunch
4. Darktrace's Mira Acquisition to Tackle the Encryption Gap: Darktrace has acquired Mira Security to address encryption challenges. This strategic move aims to enhance Darktrace's capabilities in managing encrypted traffic and improving overall cybersecurity. Source: Technology Magazine
5. Huge Data Breach at Australian Fashion Giant: A security researcher discovered an unencrypted database belonging to an Australian fashion brand, exposing personal information of 3.5 million users. The breach highlights the ongoing risks of inadequate data protection measures. Source: TechRadar

Top CVEs

1. CVE-2025-4878: A vulnerability in libssh involves an uninitialized variable in the privatekey_from_file() function. This flaw can be triggered if the specified file doesn't exist, potentially leading to signing failures or heap corruption. This issue highlights the importance of proper input validation and error handling in cryptographic libraries. Source: Vulners.
2. CVE-2025-48964: A denial of service vulnerability exists in iputils' ping utility through 20240905. It is caused by a crafted ICMP Echo Reply packet that can lead to integer overflow during statistics calculations due to a zero timestamp. This flaw underscores the need for comprehensive fixes and thorough testing to prevent incomplete patches. Source: Vulners.
3. CVE-2025-6213: The Nginx Cache Purge Preload plugin for WordPress is vulnerable to Remote Code Execution in versions up to 2.1.1. This vulnerability is due to insufficient sanitization of the $_SERVER['HTTP_REFERERER'] parameter, allowing authenticated attackers with Administrator-level access to execute code. This highlights the critical need for secure coding practices in plugin development. Source: Vulners.

API Security

1. CVE-2025-8022: All versions of the package bun are vulnerable to OS Command Injection due to improper neutralization of user input in the $ shell API. An attacker can exploit this by providing specially crafted input, leading to unintended command execution. Source: Vulners.
2. CVE-2025-54137: HAX CMS NodeJS versions 11.0.9 and below have hardcoded default credentials and private keys for JWTs, which can be accessed from public repositories. This allows attackers to access unconfigured self-hosted instances and perform further attacks. Source: Vulners.
3. Ollama vulnerable to Cross-Domain Token Exposure: In Ollama 0.6.7, remote attackers can steal authentication tokens and bypass access controls via a malicious realm value in a WWW-Authenticate header. Source: Vulners.
4. CVE-2025-31513: AlertEnterprise Guardian 4.1.14.2.2.1 has an issue where one can elevate to administrator privileges via the IsAdminApprover parameter in a Request%20Building%20Access requestSubmit API. Source: Vulners.
5. CVE-2025-51479: Authorization bypass in Onyx Enterprise Edition 0.27.0 allows remote authenticated attackers to modify arbitrary user groups via crafted PATCH requests, bypassing intended curator-group assignment. Source: Vulners.

Sponsored by Wallarm API Security Solution

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the digital landscape is fraught with challenges, from high-profile data breaches affecting luxury brands like Louis Vuitton to critical vulnerabilities in widely-used platforms such as Microsoft SharePoint. Each story serves as a reminder of the ever-evolving nature of cybersecurity threats and the importance of staying informed and vigilant.

Whether it's the innovative strides in post-quantum security or the alarming revelations of unpatched vulnerabilities, our goal is to keep you ahead of the curve. We hope today's insights have equipped you with the knowledge to better protect your digital assets and navigate the complex world of cybersecurity.

If you found this newsletter valuable, please consider sharing it with your friends and colleagues. Together, we can build a more secure digital future by spreading awareness and fostering a community of informed cybersecurity professionals.

Thank you for joining us today. Stay safe, stay secure, and we'll see you in the next edition of Secret CISO!