Welcome to today's edition of Secret CISO, where we unravel the intricate web of cybersecurity challenges and innovations shaping our digital landscape. In this issue, we delve into a series of alarming data breaches that have rocked various sectors, from luxury fashion to healthcare, underscoring the persistent vulnerabilities in third-party data management systems.

Chanel finds itself ensnared in the Salesforce data breach wave, a stark reminder of the risks associated with third-party service providers. Meanwhile, Barrett-Jackson and Next Level Finance Partners grapple with breaches that compromise sensitive personal information, highlighting the critical need for robust data protection measures.

In the realm of healthcare, Highlands Oncology Group faces scrutiny after a breach exposed over 113,000 patient records, emphasizing the urgent necessity for fortified security in medical institutions. As these incidents unfold, the legal complexities of large-scale breaches come to the forefront with the MOVEit data breach litigation advancing in Massachusetts.

On the innovation front, BeyondTrust's launch of Phantom Labs marks a significant stride in identity security research, while Google's AI-based bug hunter showcases the potential of artificial intelligence in identifying security vulnerabilities. These advancements reflect a proactive approach to countering the evolving threat landscape.

Geopolitical tensions surface as Chinese nation-state hackers target Southeast Asian telecoms, underscoring the need for heightened security in critical infrastructure sectors. Meanwhile, the Zero Day Quest event invites global security researchers to collaborate in identifying vulnerabilities, offering up to $5 million in bounty awards.

Lastly, we explore a series of critical vulnerabilities affecting RUCKUS SmartZone and Network Director, LibreChat, EspoCRM, and Tera Insights tiCrypt, each presenting unique challenges and reinforcing the importance of continuous vigilance and timely updates in cybersecurity practices.

Stay informed and prepared as we navigate these complex security landscapes together.

Data Breaches

1. Chanel caught up in Salesforce data breach wave: Chanel has become the latest victim in a series of data thefts targeting Salesforce users. The breach was detected on July 25th, when threat actors accessed a Chanel database hosted by a third-party service provider. This incident highlights the ongoing vulnerabilities in third-party data management systems. Source: Cyber Daily
2. Barrett-Jackson Holdings, LLC Data Breach Alert Issued By Wolf Haldenstein: Barrett-Jackson has notified individuals that their personal information, including Social Security numbers and driver's license details, has been compromised. This breach underscores the importance of safeguarding sensitive personal data against unauthorized access. Source: KTLA
3. MOVEit Data Breach MDL Advances With Slimmed Frame: A federal judge in Massachusetts has allowed the multidistrict litigation over the MOVEit data breach to proceed, albeit with a reduced scope. This case involves a significant breach tied to Progress software, emphasizing the legal complexities of large-scale data breaches. Source: Law360
4. Highlands Oncology Group Under Investigation for Data Breach of Over 113,000 Patient Records: Highlands Oncology Group is under investigation following a data breach that exposed sensitive information of over 113,000 patients. This incident highlights the critical need for robust data protection measures in healthcare institutions. Source: PR Newswire
5. Next Level Finance Partners Data Breach Alert Issued By Wolf Haldenstein: Next Level Finance Partners has announced a data breach affecting personal information, including Social Security Numbers and driver's licenses. This breach serves as a reminder of the vulnerabilities in financial data management. Source: Morningstar

Security Research

1. BeyondTrust launches Phantom Labs to boost identity security research: BeyondTrust has introduced Phantom Labs, a dedicated team focused on researching identity security threats. This initiative aims to enhance protection against identity exploitation, reflecting BeyondTrust's commitment to advancing security measures in the face of evolving threats. Source.
2. Chinese Nation-State Hackers Breach Southeast Asian Telecoms: Security researchers have uncovered a breach by Chinese nation-state hackers targeting Southeast Asian telecommunications companies. This incident highlights the ongoing geopolitical cyber threats and the need for robust security measures in critical infrastructure sectors. Source.
3. Zero Day Quest: Join the largest hacking event with up to $5 million in total bounty awards: The Zero Day Quest event invites top security researchers worldwide to participate in a hacking competition with a total bounty of up to $5 million. This event underscores the importance of collaborative efforts in identifying and mitigating security vulnerabilities. Source.
4. SquareX Researchers Reaffirms their Browser Security Thought Leadership with Multiple Vulnerability Disclosures: SquareX is set to disclose multiple key research findings at Black Hat USA and DEF CON, reinforcing their leadership in browser security. These disclosures are crucial for advancing the understanding and mitigation of browser vulnerabilities. Source.
5. Google says its AI-based bug hunter found 20 security vulnerabilities: Google's AI-based vulnerability researcher, Big Sleep, has identified and reported 20 security vulnerabilities. This development showcases the potential of AI in enhancing cybersecurity efforts by automating the detection of complex vulnerabilities. Source.

Top CVEs

1. CVE-2025-44957: Ruckus SmartZone (SZ) before version 6.1.2p3 Refresh Build is vulnerable to authentication bypass through a valid API key and crafted HTTP requests. This flaw could allow unauthorized access to sensitive network configurations. Source.
2. CVE-2025-44962: A directory traversal vulnerability in RUCKUS SmartZone (SZ) before version 6.1.2p3 Refresh Build allows attackers to read arbitrary files on the server. This could expose sensitive information and compromise system integrity. Source.
3. CVE-2025-44955: RUCKUS Network Director (RND) before version 4.5 contains a weakness where jailed users can obtain root access due to a hardcoded password. This vulnerability poses a significant risk of privilege escalation. Source.
4. CVE-2025-44963: In RUCKUS Network Director (RND) before version 4.5, an attacker can spoof an administrator JWT by knowing the hardcoded secret value. This could lead to unauthorized administrative access. Source.
5. CVE-2025-44954: RUCKUS SmartZone (SZ) before version 6.1.2p3 Refresh Build has a hardcoded SSH private key for a root-equivalent user, potentially allowing attackers to gain unauthorized access to the system. Source.

API Security

1. LibreChat Exposed Testing Endpoint: In versions 0.0.6 through 0.7.7-rc1 of LibreChat, an exposed testing endpoint allows unauthorized access to read arbitrary chats directly from the Meilisearch engine. This vulnerability is due to the lack of proper access control on the /api/search/test endpoint, which has been addressed in later versions. Source.
2. EspoCRM Double Slash Vulnerability: EspoCRM versions 9.1.6 and below are susceptible to a vulnerability where loading the application with double slashes can corrupt the Slim router's cache. This issue renders the instance unusable until a rebuild is completed, and it has been fixed in subsequent updates. Source.
3. Tera Insights tiCrypt Information Disclosure: The tiaudit component in Tera Insights tiCrypt, before July 2025, allows unauthenticated REST API requests that can reveal sensitive information about SQL queries and the database. This vulnerability highlights the importance of securing API endpoints against unauthorized access. Source.
4. RatPanel Remote Command Execution: RatPanel is vulnerable to remote command execution without authorization when an attacker discovers the backend login path. This flaw allows unauthorized access and execution of system commands, posing a significant security risk. Source.
5. RUCKUS Network Director JWT Spoofing: RUCKUS Network Director, before version 4.5, allows attackers to spoof an administrator JWT if they know the hardcoded secret value. This vulnerability can lead to unauthorized access and control over the network management system. Source.

Sponsored by Wallarm API Security Solution

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the digital landscape continues to evolve with both challenges and innovations. From the high-profile data breaches affecting major brands like Chanel and Barrett-Jackson to the promising advancements in identity security research by BeyondTrust, the cybersecurity world is as dynamic as ever.

We've seen how vulnerabilities in systems like RUCKUS SmartZone and EspoCRM can pose significant risks, while initiatives like the Zero Day Quest and Google's AI-based bug hunter highlight the power of collaboration and technology in fortifying our defenses.

In this ever-changing environment, staying informed is your best defense. We encourage you to share this newsletter with your friends and colleagues, helping to spread awareness and foster a community of informed and vigilant cybersecurity professionals.

Thank you for being a part of our journey. Until next time, stay secure and keep your digital world safe!