Welcome to today's edition of Secret CISO, where we unravel the intricate web of cybersecurity incidents and breakthroughs shaping our digital world. On this eventful day, we delve into a series of high-profile data breaches that have rocked industries across the globe, from aviation and telecom to luxury brands and tech giants. WestJet, Bouygues Telecom, Dior, and Google are all grappling with the aftermath of significant security breaches, underscoring the urgent need for robust data protection strategies.

In a surprising twist, even the notorious North Korean hacking group Kimsuky finds itself on the receiving end of a data breach, revealing vulnerabilities within the most sophisticated cyber actors. Meanwhile, Trend Micro's Zero Day Initiative celebrates two decades of pioneering vulnerability research, a testament to the ongoing battle against cyber threats.

Our exploration continues with a spotlight on critical vulnerabilities exposed in various sectors. From automotive digital infrastructures to AI models like GPT-5, the need for enhanced cybersecurity measures is more pressing than ever. We also uncover serious flaws in widely used software tools, including Microsoft's NLWeb and shared Linux environments, calling for heightened vigilance in software development and security testing.

Finally, we navigate through a series of newly identified vulnerabilities, each with the potential to disrupt digital ecosystems. From SQL injection flaws in MASA CMS to authentication bypasses in Komari, these vulnerabilities highlight the relentless pursuit of cybercriminals to exploit weaknesses. As we dissect these incidents, we emphasize the importance of proactive security measures to safeguard our digital future.

Join us as we connect the dots in this complex narrative, offering insights and strategies to fortify your defenses in an ever-evolving cyber landscape.

Data Breaches

1. WestJet Security Breach: WestJet has provided an update on a security breach that occurred on June 13, detailing the measures taken to protect customer data. A cybersecurity expert emphasizes the importance of robust data protection strategies. Source: CBC.ca
2. French Telecom Bouygues Data Breach: Bouygues Telecom, a major French telecom provider, has reported a significant data breach affecting millions of customers. The breach highlights the critical need for telecom companies to enhance their cybersecurity measures. Source: Business & Human Rights Resource Centre
3. Dior Data Breach: French luxury brand Dior has disclosed a data breach that compromised the personal information of nearly 1 million customers in Hong Kong. This incident underscores the vulnerability of high-profile brands to cyber threats. Source: The Standard
4. Google-Salesforce Data Breach: A security breach involving Google has exposed data of Google Ads customers, raising concerns about data security practices in tech giants. This incident serves as a reminder of the potential risks associated with digital advertising platforms. Source: Tech.co
5. North Korean Kimsuky Hackers Data Breach: The North Korean state-sponsored hacking group Kimsuky has reportedly suffered a data breach, revealing the vulnerabilities even among sophisticated cyber actors. This breach highlights the complex landscape of cyber espionage. Source: Bleeping Computer

Security Research

1. Trend Micro's Zero Day Initiative marks two decades of impact: Trend Micro's Zero Day Initiative (ZDI) celebrates 20 years of incentivizing global security researchers to uncover vulnerabilities. This program has significantly contributed to cybersecurity by encouraging researchers to report bugs, thereby enhancing digital safety. Source.
2. Researcher Exposes Flaws in Carmaker Portal for Remote Vehicle Access: A security researcher has highlighted critical vulnerabilities in a carmaker's digital infrastructure, allowing unauthorized remote access to vehicles. This discovery underscores the need for robust cybersecurity measures in the automotive industry. Source.
3. Researchers jailbreak GPT-5 with multi-turn Echo Chamber storytelling: Security researchers have demonstrated that OpenAI's GPT-5 model can be manipulated using a multi-turn technique, raising concerns about AI security and the potential for misuse. This finding emphasizes the importance of continuous AI model evaluation and security enhancements. Source.
4. Serious path traversal bug found in Microsoft's NLWeb "Agentic Web" tool: A security researcher discovered a path traversal vulnerability in Microsoft's NLWeb tool, which could allow unauthorized access to sensitive data. This highlights the ongoing need for vigilance in software development and security testing. Source.
5. Legitimate System Functions Weaponized to Steal Secrets in Shared Linux Environments: Security researcher Ionut Cernica has identified vulnerabilities in shared Linux hosting environments that could be exploited to access sensitive information. This discovery calls for improved security measures in shared computing environments. Source.

Top CVEs

1. CVE-2024-32640: MASA CMS, an enterprise content management platform, has a critical SQL injection vulnerability in its processAsyncObject method. This flaw allows remote code execution in versions prior to 7.4.6, 7.3.13, and 7.2.8, which have been patched to fix this issue. Source: Vulners.
2. CVE-2025-4390: The WP Private Content Plus plugin for WordPress is vulnerable to sensitive information exposure through the 'validate_restrictions' function. This flaw allows unauthenticated attackers to access restricted post content in all versions up to 3.6.2. Source: Vulners.
3. CVE-2025-45146: ModelCache for LLM through version 0.2.0 contains a deserialization vulnerability in the /manager/data_manager.py component. This allows attackers to execute arbitrary code by supplying crafted data. Source: Vulners.
4. CVE-2025-55161: Stirling-PDF, a locally hosted web application for PDF operations, has a vulnerability in its /api/v1/convert/markdown/pdf endpoint. The security sanitizer can be bypassed, leading to Server-Side Request Forgery (SSRF) in versions before 1.1.0. This issue has been patched in the latest version. Source: Vulners.

API Security

1. Komari vulnerable to 2FA Authentication Bypass: A logic error in the 2FA verification condition allows attackers to bypass two-factor authentication by using any six-digit code. This vulnerability poses a significant risk as it undermines the security provided by 2FA, potentially allowing unauthorized access to user accounts. Source: vulners.com
2. Komari vulnerable to Cross-site WebSocket Hijacking: The WebSocket upgrader in Komari has disabled origin checking, enabling Cross-Site WebSocket Hijacking (CSWSH) attacks against authenticated users. This vulnerability allows third-party websites to execute remote code on a user's node without their knowledge. Source: vulners.com
3. PyLoad vulnerable to SQL Injection via API /json/add_package: The add_links parameter in the API /json/add_package is vulnerable to SQL Injection, which can lead to sensitive data leakage. This vulnerability allows attackers to manipulate or delete data in the database, causing data errors or loss. Source: vulners.com
4. CVE-2025-55161: Stirling-PDF's /api/v1/convert/markdown/pdf endpoint is vulnerable to SSRF due to a bypassable security sanitizer. This vulnerability allows attackers to exploit the backend's third-party tool processing, potentially leading to unauthorized network access. Source: vulners.com
5. Mattermost Confluence Plugin has Missing Authorization vulnerability: Versions <1.5.0 of the Mattermost Confluence Plugin fail to check user access to channels, allowing attackers to access channel subscription details without proper authorization via API calls. This vulnerability compromises the confidentiality of channel information. Source: vulners.com

Sponsored by Wallarm API Security Solution

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the digital landscape is as dynamic as ever, with new challenges and breakthroughs emerging daily. From the WestJet and Bouygues Telecom breaches to the vulnerabilities exposed in high-profile brands like Dior and tech giants like Google, the importance of robust cybersecurity measures cannot be overstated. These incidents serve as stark reminders of the ever-present threats in our interconnected world.

Meanwhile, the celebration of Trend Micro's Zero Day Initiative's 20th anniversary highlights the positive strides being made in the cybersecurity community. The initiative's success in encouraging vulnerability reporting is a testament to the power of collaboration in enhancing digital safety. Similarly, the discoveries of vulnerabilities in automotive and AI systems underscore the need for continuous vigilance and innovation in security practices.

As we navigate this complex landscape, sharing knowledge and insights becomes crucial. If you found today's newsletter informative, consider sharing it with your friends and colleagues. Together, we can foster a more secure digital environment and stay ahead of potential threats.

Thank you for joining us today. Stay vigilant, stay informed, and we'll see you in the next edition of Secret CISO!