Welcome to today's edition of Secret CISO, where we unravel the intricate web of cybersecurity developments shaping our digital landscape. In this issue, we dive into a series of compelling stories that underscore the ever-evolving nature of cyber threats and the critical importance of robust security measures.

Our journey begins with the Pwn2Own Ireland 2025 competition, where a staggering $1 million reward is up for grabs for anyone who can uncover a zero-click exploit in WhatsApp. This initiative highlights the immense value placed on securing widely-used communication platforms and the proactive steps being taken to incentivize vulnerability discovery.

Meanwhile, in Thailand, the PDPC has imposed hefty fines totaling 15 million baht across five data breach cases, serving as a stark reminder of the financial repercussions organizations face for failing to protect personal data. Across the globe, Americans affected by a Bitcoin ATM data breach are set to receive up to $3,000 each, illustrating the significant impact of data breaches on consumers and the legal recourse available.

In the realm of hardware, geopolitical tensions rise as China presses Nvidia over alleged backdoors in its H20 chips, emphasizing the need for transparency and trust in the global technology supply chain. Simultaneously, the FBI issues a critical warning against resetting passwords in response to phishing attacks, reflecting the evolving tactics of cybercriminals.

As we delve deeper, we uncover the potential for AI agents to autonomously hack smart contracts, raising concerns about automated cyberattacks on blockchain systems. The discovery of the undetectable "Plague" malware targeting Linux servers further highlights the need for enhanced security measures in Linux environments.

Finally, we explore a series of vulnerabilities, from Android's "tapjacking" flaw to critical issues in the Linux kernel and NVIDIA software, each underscoring the ongoing battle to secure our digital infrastructure against ever-present threats.

Join us as we navigate these stories and more, offering insights and strategies to fortify your defenses in an increasingly complex cybersecurity landscape.

Data Breaches

1. Pwn2Own Ireland 2025 Offers $1 Million Reward For WhatsApp Zero-Click Exploit: Trend Micro's Zero Day Initiative (ZDI) has announced a groundbreaking $1,000,000 reward for a zero-click remote code execution exploit targeting WhatsApp. This initiative underscores the increasing value and impact of discovering vulnerabilities in widely-used communication platforms. The substantial reward highlights the critical need for robust security measures in popular apps. Source: LinkedIn.
2. PDPC levies fines of B15m in 5 data breach cases - Bangkok Post: The Office of the Personal Data Protection Committee (PDPC) in Thailand has imposed fines totaling over 15 million baht across five significant data breach cases. These breaches highlight the ongoing challenges organizations face in safeguarding personal data and the financial repercussions of failing to comply with data protection regulations. The fines serve as a stark reminder of the importance of robust data security practices. Source: Bangkok Post.
3. Americans to get up to $3k from ATM data breach settlement - The US Sun: A class action lawsuit related to a 2024 security breach of Bitcoin ATM operator Byte Federal has resulted in a settlement offering affected Americans up to $3,000 each. This settlement reflects the significant impact of data breaches on consumers and the legal recourse available to them. It also underscores the importance of securing financial data in the rapidly evolving cryptocurrency sector. Source: The US Sun.
4. China Presses Nvidia Over Alleged Backdoors in H20 Chips Amid Tech Tensions: The Cyberspace Administration of China has raised concerns over alleged backdoors in Nvidia's H20 chips, amid escalating tech tensions. This situation highlights the geopolitical dimensions of cybersecurity and the potential risks associated with hardware vulnerabilities. It underscores the need for transparency and trust in the global technology supply chain. Source: Security Affairs.
5. Do Not Reset Your Password — FBI Issues Critical New Warning - Forbes: The FBI and the Cybersecurity and Infrastructure Security Agency have issued a critical warning advising against resetting passwords in response to phishing attacks. This guidance reflects the evolving tactics of cybercriminals and the need for users to remain vigilant and informed about best practices in cybersecurity. It emphasizes the importance of understanding the context of security alerts before taking action. Source: Forbes.

Security Research

1. AI Agents Can Hack Smart Contracts on Autopilot: Researchers have developed AI agents capable of autonomously identifying and exploiting vulnerabilities in smart contracts. This advancement raises concerns about the potential for automated cyberattacks on blockchain systems, prompting discussions within the Ethereum security community to address these risks. Source: BankInfoSecurity.
2. New Undetectable Plague Malware Targeting Linux Servers for Persistent SSH Access: Security researchers have uncovered a sophisticated Linux backdoor named "Plague" that has managed to evade detection. This malware targets Linux servers, providing attackers with persistent SSH access, highlighting the need for enhanced security measures in Linux environments. Source: GBHackers.
3. CL-STA-0969 Installs Covert Malware in Telecom Networks During 10-Month Espionage Campaign: A newly discovered espionage campaign, CL-STA-0969, has been installing covert malware in telecom networks, posing significant security threats. The campaign shares overlaps with known threat clusters, emphasizing the importance of vigilance and advanced threat detection in telecom infrastructure. Source: The Hacker News.
4. Android Vulnerability Allows Hackers to Steal Permissions via "Tapjacking": Researchers from the University of Technology in Vienna and the University of Bayreuth have demonstrated a vulnerability in Android devices that allows hackers to steal permissions through a technique called "tapjacking." This discovery underscores the need for improved security measures in mobile operating systems to protect user data. Source: iHLS.
5. Pwn2Own Ireland 2025 Offers $1 Million Reward For WhatsApp Zero-Click Exploit: The Pwn2Own competition in Ireland is offering a $1 million reward for discovering a zero-click exploit in WhatsApp. This initiative by Meta highlights the increasing importance of proactive security measures and incentivizing researchers to uncover vulnerabilities before malicious actors can exploit them. Source: LinkedIn.

Top CVEs

1. CVE-2023-32253: A flaw in the Linux kernel's ksmbd component can trigger a deadlock by sending multiple concurrent session setup requests, potentially leading to a denial of service. This vulnerability highlights the importance of robust session management in kernel components. Source: Vulners.
2. CVE-2023-32255: Another vulnerability in the Linux kernel's ksmbd component involves a memory leak when a client sends a session setup request with an unknown NTLMSSP message type. This could lead to resource exhaustion and potential denial of service. Source: Vulners.
3. CVE-2025-23276: NVIDIA Installer for Windows contains a vulnerability that allows attackers to escalate privileges. Exploiting this flaw could result in denial of service, code execution, information disclosure, and data tampering, emphasizing the need for secure software installation processes. Source: Vulners.
4. CVE-2025-23283: NVIDIA vGPU software for Linux-style hypervisors has a vulnerability in the Virtual GPU Manager, where a malicious guest could cause a stack buffer overflow. This could lead to code execution, denial of service, and other severe impacts, highlighting the risks in virtualized environments. Source: Vulners.
5. CVE-2025-23277: A vulnerability in the NVIDIA Display Driver for Linux and Windows allows attackers to access memory outside permitted bounds, potentially leading to denial of service, data tampering, or information disclosure. This underscores the critical nature of memory management in driver software. Source: Vulners.

API Security

1. CVE-2025-54955: OpenNebula Community Edition (CE) before 7.0.0 and Enterprise Edition (EE) before 6.10.3 have a critical FireEdge race condition vulnerability. This flaw allows an unauthenticated attacker to obtain a valid JSON Web Token (JWT) belonging to a legitimate user, potentially leading to full account takeover. The impact of this vulnerability is significant due to the potential for unauthorized access and control over user accounts. Source: Vulners.
2. CVE-2025-7847: This vulnerability affects the Wordpress Plugin AI Engine versions 2.9.3 to 2.9.4, allowing authenticated subscribers to perform arbitrary file uploads. The exploit requires the "Public API" option to be enabled, which is disabled by default, and lacks proper authentication measures. This vulnerability poses a risk of unauthorized file uploads and potential server compromise. Source: Vulners.
3. CVE-2025-6626: The ShortPixel Adaptive Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the API URL Setting in versions up to 3.10.3. This vulnerability allows authenticated attackers with administrator-level access to inject arbitrary web scripts, which execute whenever a user accesses an injected page. The issue is particularly concerning for multi-site installations and those with unfiltered_html permissions. Source: Vulners.

Sponsored by Wallarm API Security Solution

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the cybersecurity landscape is as dynamic and challenging as ever. From the million-dollar bounty for a WhatsApp exploit at Pwn2Own Ireland 2025 to the critical vulnerabilities affecting Linux servers and WordPress plugins, the need for vigilance and proactive measures is paramount.

These stories remind us of the importance of staying informed and prepared in the face of evolving threats. Whether it's understanding the implications of a data breach settlement or recognizing the geopolitical tensions surrounding tech security, knowledge is our first line of defense.

If you found today's insights valuable, please consider sharing this newsletter with your friends and colleagues. Together, we can build a more secure digital world by spreading awareness and fostering a community of informed cybersecurity advocates.

Thank you for being a part of the Secret CISO community. Stay safe, stay informed, and see you in the next edition!