Welcome to today's edition of Secret CISO, where we unravel the intricate web of cybersecurity challenges and breakthroughs. In this issue, we delve into a series of high-stakes incidents and innovations that are reshaping the security landscape.

We begin with the sentencing of Noah Michael Urban, a SIM-swapper whose decade-long prison term serves as a stark warning against cybercrime. Meanwhile, OE Federal Credit Union's settlement with customers following a data breach lawsuit highlights the ongoing struggle of financial institutions to safeguard personal data.

In the healthcare sector, Inotiv's ransomware attack and CB1 Medical's data breach underscore the critical need for robust security measures to protect sensitive patient information. Similarly, Lenovo's AI chatbot vulnerability exposes the potential risks of integrating artificial intelligence into customer-facing systems.

On the global stage, Microsoft's decision to limit early vulnerability notifications to Chinese firms reflects the geopolitical complexities of cybersecurity, while their advancements in quantum-safe cryptography promise a future-proof shield against emerging threats.

In the realm of AI, Unit 42's research on logit-gap steering reveals vulnerabilities in large language models, emphasizing the necessity for stringent security protocols. Meanwhile, a hacker's breach of McDonald's portal using a simple URL trick serves as a reminder of the importance of securing digital assets.

As we look to the stars, VisionSpace Technologies warns of the vulnerabilities in space systems, urging the need for cybersecurity in the final frontier. Finally, we explore a series of critical vulnerabilities, from libssh's integer overflow to Directus API's file update flaw, each highlighting the relentless pursuit of security in an ever-evolving digital world.

Join us as we navigate these stories and more, equipping you with the insights needed to stay ahead in the cybersecurity arena.

Data Breaches

1. SIM-Swapper, Scattered Spider Hacker Gets 10 Years: Noah Michael Urban of Palm Coast, Florida, was sentenced to 10 years in prison after pleading guilty to wire fraud and conspiracy charges. The case highlights the severe legal consequences for individuals involved in SIM-swapping schemes, which have become a significant threat to personal data security. Source: Krebs on Security
2. Credit Union, Customers Notch Deal In Data Breach Suit: OE Federal Credit Union reached a settlement with customers following a data breach lawsuit. This case underscores the ongoing challenges financial institutions face in protecting customer data and the legal repercussions of failing to do so. Source: Law360
3. Pharmaceutical Company Inotiv Confirms Ransomware Attack: Inotiv, a pharmaceutical company, confirmed a ransomware attack that disrupted its operations. This incident highlights the vulnerability of the healthcare sector to cyberattacks and the potential impact on critical services. Source: SecurityWeek
4. UK Patient Data Exposed Amid Clinic Data Breach: CB1 Medical is investigating a significant data breach that leaked patient details, including prescriptions, online. This breach raises serious concerns about patient privacy and the security measures in place at medical facilities. Source: Business of Cannabis
5. Lenovo Chatbot Breach Highlights AI Security Blind Spots: A vulnerability in Lenovo's AI chatbot exposed security risks in customer-facing systems. This incident serves as a warning about the potential dangers of poorly implemented AI technologies in consumer interactions. Source: CSO Online

Security Research

1. Microsoft Curbs Early Access for Chinese Firms to Notifications About Cybersecurity Flaws: Microsoft has restricted Chinese companies' access to early notifications of cybersecurity vulnerabilities in its technology. This move is part of a broader effort to safeguard sensitive information and maintain security integrity amid rising geopolitical tensions. The decision underscores the importance of controlling the dissemination of vulnerability information to prevent potential misuse. Source: Seattle Times
2. Quantum-safe Security: Progress Towards Next-generation Cryptography: Microsoft has been advancing its research in quantum-safe cryptography since 2018, focusing on post-quantum cryptographic (PQC) algorithms. These efforts are crucial as quantum computing poses a potential threat to current encryption methods. The research aims to develop cryptographic solutions that can withstand the computational power of future quantum computers, ensuring data security in the long term. Source: Microsoft Security Blog
3. Logit-Gap Steering: A New Frontier in Understanding and Probing LLM Safety: Unit 42's research on logit-gap steering highlights vulnerabilities in AI systems, particularly in large language models (LLMs). The study reveals how internal alignment measures can be bypassed, emphasizing the need for robust external security protocols. This research is pivotal in understanding AI safety and ensuring that AI systems operate securely and as intended. Source: Unit 42
4. McFlaw: Hacker Breaches McDonald's Portal With URL Trick: A security researcher exploited a vulnerability in McDonald's global marketing portal by altering a single word in the URL. This breach exposed various sensitive data, highlighting the importance of securing web applications against such simple yet effective attacks. The incident serves as a reminder for organizations to regularly audit and secure their digital assets. Source: GovInfoSecurity
5. How Outer Space Became the Next Big Attack Surface: At the Black Hat conference, VisionSpace Technologies experts discussed vulnerabilities in space systems that could jeopardize entire missions. As space exploration and satellite technology advance, securing these systems against cyber threats becomes increasingly critical. This research underscores the need for robust cybersecurity measures in the burgeoning field of space technology. Source: Dark Reading

Top CVEs

1. CVE-2025-4877: A vulnerability in the libssh package allows for an integer overflow in the bin_to_base64() function, leading to potential heap corruption. This issue specifically affects 32-bit builds, where an unexpectedly large input buffer can cause out-of-bounds writes. Source: Vulners.
2. CVE-2025-27217: A Server-Side Request Forgery (SSRF) vulnerability in the UISP Application permits malicious actors with certain permissions to make unauthorized requests outside the application. This could potentially lead to unauthorized access to internal resources. Source: Vulners.
3. CVE-2025-54988: Apache Tika's tika-parser-pdf-module is vulnerable to XML External Entity (XXE) injection, allowing attackers to read sensitive data or trigger malicious requests via crafted XFA files in PDFs. Users should upgrade to version 3.2.2 to mitigate this risk. Source: Vulners.
4. CVE-2024-39954: A Server-Side Request Forgery (SSRF) vulnerability in the eventmesh-runtime module of WebhookUtil.java allows attackers to manipulate server functionality to access or modify internal resources. Upgrading to version 1.12.0 is recommended to address this issue. Source: Vulners.
5. CVE-2025-48149: The Cook&Meal application has a PHP Remote File Inclusion vulnerability, allowing for Local File Inclusion due to improper control of filenames in include/require statements. This flaw could be exploited to execute arbitrary code. Source: Vulners.

API Security

1. CVE-2025-27213: An Improper Access Control vulnerability in certain UniFi Connect devices allows a malicious actor to enable Android Debug Bridge (ADB) and make unsupported changes to the system. Affected products include various versions of UniFi Connect EV Station Pro and Display devices. Users are advised to update to the latest versions to mitigate this issue. Source: Vulners.
2. CVE-2025-9262: A flaw in wong2 mcp-cli 1.13.0's oAuth Handler allows for OS command injection via the redirectToAuthorization function. This vulnerability is considered to have high complexity and difficult exploitability, with the vendor unresponsive to early disclosure attempts. Source: Vulners.
3. CVE-2025-54988: A critical XML External Entity (XXE) injection vulnerability in Apache Tika's tika-parser-pdf-module allows attackers to read sensitive data or trigger malicious requests. Users are advised to upgrade to version 3.2.2 to address this issue. Source: Vulners.
4. CVE-2025-55746: Directus API's file update mechanism vulnerability allows unauthenticated actors to modify or upload files with arbitrary content, bypassing the UI. This issue affects versions from 10.8.0 to before 11.9.3 and is fixed in later versions. Source: Vulners.
5. CVE-2025-8415: A vulnerability in Cryostat's HTTP API allows external visibility and access to the API port if Network Policies are disabled, posing a risk of unauthorized access. Source: Vulners.

Sponsored by Wallarm API Security Solution

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the cybersecurity landscape is as dynamic and challenging as ever. From the legal ramifications of SIM-swapping to the vulnerabilities exposed in AI systems and space technology, each story serves as a crucial reminder of the importance of vigilance and innovation in our field.

Whether it's a breach at a credit union, a ransomware attack on a pharmaceutical company, or the exposure of patient data, these incidents underscore the ongoing battle to protect sensitive information. Meanwhile, advancements in quantum-safe cryptography and the exploration of new vulnerabilities in AI and space systems highlight the forward-thinking efforts required to stay ahead of emerging threats.

We hope you found today's insights valuable and thought-provoking. If you did, please consider sharing this newsletter with your friends and colleagues. Together, we can foster a community of informed and proactive cybersecurity professionals, ready to tackle the challenges of tomorrow.

Stay secure, and see you in the next edition of Secret CISO!