Welcome to today's edition of Secret CISO, where we unravel the intricate web of cybersecurity breaches and vulnerabilities that have surfaced across the globe. In a world where data is the new currency, today's stories highlight the fragility of our digital defenses and the relentless pursuit of those who seek to exploit them.

Our journey begins with a massive data leak from the UK's Ministry of Defence, exposing the personal details of thousands of Afghan applicants. This breach not only raises questions about data protection but also opens the door to potential compensation claims. Meanwhile, the Tea app, designed to offer women a safe space to discuss their dating experiences, has ironically fallen victim to a breach, exposing user IDs and challenging the very notion of digital privacy.

In the high-octane world of NASCAR, a ransomware attack has put names and social security information at risk, while Clive Palmer's companies have joined the ranks of major corporations grappling with cyber threats. Educational institutions aren't immune either, as Brigham Young University finds itself under investigation for a data breach that could compromise sensitive records.

On the technical front, critical vulnerabilities in VMware Tools and SharePoint demand immediate attention, as they pose significant risks of unauthorized access and remote code execution. The AI ecosystem is not spared, with LLM plugin vulnerabilities underscoring the need for robust security measures.

Google's delayed response to shutting down a spyware operation hosted on its servers raises concerns about the tech giant's agility in addressing threats. Meanwhile, a luggage service's web bugs have exposed the travel plans of users, including diplomats, highlighting the pervasive nature of security flaws.

Finally, we delve into a series of vulnerabilities affecting popular platforms like libssh, WinRAR, and Salesforce Tableau Server, each presenting unique challenges that demand swift action to prevent exploitation.

As we navigate this digital landscape, today's stories serve as a stark reminder of the ever-evolving threats we face and the critical importance of staying vigilant in safeguarding our digital world.

Data Breaches

1. Afghans exposed in huge MoD data leak could get thousands in compensation: Approximately 18,700 Afghan applicants to the UK resettlement scheme had their personal details leaked due to a Ministry of Defence blunder. This breach has raised significant concerns about data protection and potential compensation for those affected. Source: The Independent.
2. Tea, an app for women to safely talk about men they date, has been breached, user IDs exposed: The breach affects users who signed up before February 2024, with no evidence suggesting additional data was compromised. This incident highlights vulnerabilities in apps designed for privacy and safety. Source: KGW.
3. Hacked: NASCAR confirms data breach, names and social security info held for ransom: NASCAR has confirmed a data breach involving a ransom demand from Medusa Ransomware, affecting names and social security information. This breach underscores the ongoing threat of ransomware attacks in the sports industry. Source: On3.
4. Clive Palmer's Mineralogy and Queensland Nickel Group say data stolen in cyber attack: Following a recent cyber attack on Qantas, data from Clive Palmer's companies was stolen, prompting calls for improved cyber security laws. This incident highlights the vulnerability of major corporations to cyber threats. Source: ABC News.
5. PRIVACY ALERT: Brigham Young University Under Investigation for Data Breach of Records: Brigham Young University is under investigation for a data breach impacting sensitive personal information. This breach raises concerns about data security in educational institutions. Source: The Malaysian Reserve.

Security Research

1. Critical VMware Tools VGAuth Vulnerabilities Enable Full System Access for Attackers: Security researcher Sergey Bliznyuk has uncovered critical vulnerabilities in VMware Tools' VGAuth service, which can be exploited by attackers to gain full system access. The flaw involves creating a named pipe at \.\pipe\vgauth-service-system, allowing unauthorized access and control over affected systems. Source: Cybersecurity News.
2. Critical SharePoint RCE (CVE-2025-53770): Security researcher Sıla Özeren Hacıoğlu has detailed a critical remote code execution vulnerability in SharePoint, identified as CVE-2025-53770. This exploit poses a significant threat, enabling attackers to execute arbitrary code on vulnerable SharePoint servers, necessitating immediate attention and patching. Source: LinkedIn.
3. LLM Plugin Vulnerabilities Highlight Growing Threat to AI Ecosystems: Recent research has identified significant security flaws in large language model (LLM) plugins, which could be exploited to compromise AI systems. The vulnerabilities underscore the need for robust security measures to protect AI ecosystems from potential threats. Source: SC Media.
4. Google Took a Month to Shut Down Catwatchful, a Phone Spyware Operation Hosted on Its Servers: Security researcher Eric Daigle discovered a security bug in the Catwatchful spyware operation, which was hosted on Google's servers. Despite the severity of the issue, it took Google a month to shut down the operation, raising concerns about response times to such threats. Source: TechCrunch.
5. A Premium Luggage Service's Web Bugs Exposed the Travel Plans of Every User: Security flaws in Airportr, a luggage checking service, exposed the travel plans of its users, including diplomats. Researchers at CyberX9 found that simple bugs in the service's web infrastructure could be exploited to access sensitive travel information. Source: WIRED.

Top CVEs

1. Libssh: integer overflow in libssh sftp server packet length validation leading to denial of service
2. 
   
3. 
   
4. A flaw was found in the SFTP server message decoding logic of libssh. The issue occurs due to an incorrect packet length check that allows an integer overflow when handling large payload sizes on 32-bit systems. This issue leads to failed memory allocation and causes the server process to crash, resulting in a denial of service. Source:
5. https://vulners.com/cve/CVE-2025-5449
6. NULL Pointer Dereference in µD3TN
7. 
   
8. 
   
9. NULL Pointer Dereference in µD3TN via non-singleton destination Endpoint Identifier allows remote attackers to reliably cause a denial of service. This vulnerability can be exploited by sending specially crafted packets to the affected system, leading to a crash. Source:
10. https://vulners.com/cve/CVE-2025-8183
11. WinRAR < 5.00 Filename Spoofing RCE
12. 
    
13. 
    
14. A filename spoofing vulnerability exists in WinRAR when opening specially crafted ZIP archives. The issue arises due to inconsistencies between the Central Directory and Local File Header entries in ZIP files. When viewed in WinRAR, the file name from the Central Directory is displayed to the user, while the file from the Local File Header is extracted and executed. An attacker can leverage this flaw to spoof filenames and trick users into executing malicious payloads under the guise of harmless files, potentially leading to remote code execution. Source:
15. https://vulners.com/cve/CVE-2014-125119

API Security

1. CVE-2025-54414 Anubis accepts crafted redirect URLs in pass-challenge 'Try Again' buttons: Anubis, a Web AI Firewall Utility, has a vulnerability in versions 1.21.2 and below where attackers can craft malicious pass-challenge pages. This allows users to execute arbitrary JavaScript code or trigger nonstandard schemes. The issue can be mitigated by blocking requests to specific routes with certain parameters. Source: Vulners.
2. CVE-2025-54385 XWiki Platform's searchDocuments API allows for SQL injection: XWiki Platform, a generic wiki platform, has a vulnerability in versions 17.0.0-rc1 to 17.2.2 and 16.10.5 and below. The searchDocuments API allows SQL queries to be executed in Oracle databases due to improper sanitization. This vulnerability has been fixed in later versions. Source: Vulners.
3. CVE-2025-54378 HAX CMS Backend Lacks Comprehensive Authorization Checks: HAX CMS, used for managing microsites, has a vulnerability in versions 11.0.13 and below for NodeJs and 11.0.8 and below for PHP. The API endpoints fail to perform authorization checks, allowing authenticated users to interact with resources without permission. This issue has been addressed in subsequent versions. Source: Vulners.
4. CVE-2025-52452 Improper Limitation of a Pathname to a Restricted Directory in Salesforce Tableau Server: A path traversal vulnerability exists in Salesforce Tableau Server, affecting versions before 2025.1.3 and 2024.2.12. This allows attackers to perform absolute path traversal, potentially leading to unauthorized access to sensitive files. Source: Vulners.
5. CVE-2025-52448 Authorization Bypass Through User-Controlled Key in Salesforce Tableau Server: This vulnerability in Salesforce Tableau Server affects versions before 2025.1.3 and 2024.2.12. It allows interface manipulation and unauthorized data access to the production database cluster due to an authorization bypass through a user-controlled key. Source: Vulners.

Sponsored by Wallarm API Security Solution

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the digital landscape remains as dynamic and challenging as ever. From the significant data breaches affecting individuals and organizations worldwide to the critical vulnerabilities threatening our systems, the need for robust cybersecurity measures has never been more pressing.

Each story we shared today—from the Afghan data leak to the vulnerabilities in AI ecosystems—serves as a reminder of the importance of vigilance and proactive defense strategies. Whether it's safeguarding personal data, securing corporate networks, or ensuring the integrity of educational institutions, the responsibility falls on all of us to stay informed and prepared.

We hope you found today's insights valuable and thought-provoking. If you did, please consider sharing this newsletter with your friends and colleagues. By spreading awareness, we can collectively strengthen our defenses and foster a more secure digital environment for everyone.

Thank you for being a part of our community. Stay safe, stay informed, and we'll see you in the next edition of Secret CISO.