Welcome to today's edition of Secret CISO, where we unravel the intricate web of cybersecurity challenges and breakthroughs. In a world where interconnected systems are both a boon and a bane, today's stories weave a narrative of vulnerabilities, resilience, and innovation.

We begin with a series of data breaches that highlight the precarious nature of third-party integrations. HackerOne and Trigg County Hospital find themselves entangled in breaches due to external partners, while Plex and WebTPA grapple with the aftermath of compromised user data. Meanwhile, the Texas Attorney General's lawsuit against PowerSchool underscores the critical need for robust data protection in educational institutions.

In the realm of cutting-edge threats, we delve into the chilling discovery of ChillyHell, a modular macOS malware that slipped through Apple's review process, raising questions about app security. Simultaneously, researchers are pushing the boundaries of security with innovative projects like PVAMU's deepfake detection and the Qubit Rowhammer attack, which exposes vulnerabilities in quantum computing.

Our exploration of vulnerabilities continues with revelations of satellite hacking weaknesses and the unlocking of hidden capabilities in Wi-Fi chips, both of which underscore the need for heightened cybersecurity measures in technology that underpins our daily lives.

Finally, we turn our attention to a series of critical vulnerabilities, from improper authorization controls in librechat to open redirects in Freshwork, each serving as a stark reminder of the ever-present need for vigilance and timely updates in software security.

Join us as we navigate these stories, each a thread in the complex tapestry of cybersecurity, and uncover the lessons they hold for safeguarding our digital future.

Data Breaches

1. HackerOne Data Breach: HackerOne has confirmed a breach in its Salesforce environment due to a third-party data breach. This incident underscores the vulnerabilities within interconnected systems and the importance of securing third-party integrations. Source: GBHackers
2. Plex Data Breach: Plex has experienced its second major data breach in two years, affecting user email addresses, usernames, and hashed passwords. In response, the company is requiring users to change their passwords to enhance security. Source: Android Police
3. Trigg Hospital Data Breach: Trigg County Hospital has notified patients of a data breach involving a cyberattack on Blue, Inc., a partner company. This breach highlights the risks associated with third-party service providers in healthcare. Source: WKDZ
4. WebTPA Data Breach Settlement: WebTPA has reached a $13.75 million settlement following a data breach, allowing affected individuals to claim up to $5,000. This settlement reflects the growing financial implications of data breaches for companies. Source: Claim Depot
5. Texas Attorney General Sues PowerSchool: The Texas Attorney General has filed a lawsuit against PowerSchool over a data breach that exposed the information of over 880,000 students and teachers. This case emphasizes the critical need for robust data protection in educational institutions. Source: Law.com

Security Research

1. ChillyHell modular macOS malware OKed by Apple in 2021: Researchers at Jamf discovered a modular macOS malware named ChillyHell that was surprisingly approved by Apple in 2021. Despite being documented, it wasn't flagged as malicious, raising concerns about Apple's app review process and the potential for similar threats to bypass security measures. Source: The Register.
2. PVAMU's Wang Leads Innovative Research on Deepfake Security Challenges: Yonghui Wang from PVAMU is spearheading a collaborative project with Princeton University to tackle deepfake security challenges. This research aims to develop advanced methods to detect and mitigate the risks posed by deepfakes, which are increasingly used in misinformation campaigns. Source: PVAMU.
3. Qubit Rowhammer Attack Achieves 50% Flip Rates, Exposing Cloud Security Vulnerabilities: Researchers have demonstrated a security vulnerability in superconducting quantum computers through a Qubit Rowhammer attack. This attack successfully induced errors, highlighting significant cloud security vulnerabilities that need to be addressed as quantum computing technology advances. Source: Quantum Zeitgeist.
4. White Hat Hackers Reveal Satellite Hacking Weaknesses: Security researchers from VisionSpace have exposed trivial vulnerabilities in satellite systems, emphasizing the need for enhanced cybersecurity measures in space technology. These findings highlight the potential risks of satellite hacking and the importance of securing these critical infrastructures. Source: IEEE Spectrum.
5. Unlocking Hidden Capabilities in Wi-Fi Chips: Security researchers Daniel Wegemer and Edoardo Mantovani have reverse-engineered Wi-Fi chips, uncovering new opportunities for security research. This work opens the door to understanding and mitigating potential vulnerabilities in wireless communication technologies. Source: GovInfoSecurity.

API Security

1. CVE-2025-6088: In version 0.7.8 of danny-avila/librechat, improper authorization controls in the conversation sharing feature allow unauthorized access to other users' conversations if the conversation ID is known. Although UUIDv4 conversation IDs are generated server-side and are difficult to brute force, they can be obtained from less-protected sources such as server-side access logs, browser history, or screenshots. The vulnerability permits a logged-in user to gain read-only access to another user's conversations by exploiting the /api/share/conversationID endpoint, which lacks authorization checks. This issue is resolved in version... Source: Vulners.
2. CVE-2025-10229: A vulnerability has been found in Freshwork up to 1.2.3. This impacts an unknown function of the file /api/v2/logout. Such manipulation of the argument post_logout_redirect_uri leads to open redirect. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.2.3 will fix this issue. You should upgrade the affected component. The vendor was contacted early about this disclosure but did not respond in any... Source: Vulners.
3. WebSocket endpoint `/api/v2/ws/logs` reachable without authentication even when --auth is enabled: Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API. Consequently, an unauthenticated remote attacker can stream real-time application logs (information disclosure) and gain insight into internal file paths, request/response bodies, and other potentially sensitive data emitted in logs. Source: Vulners.
4. Indico may disclose unauthorized user details access via legacy API: A legacy API to retrieve user details could be misused to retrieve profile details of other users without having admin permissions due to a broken access check. Users should update to Indico 3.3.8 as soon as possible. It is possible to restrict access to the affected API (e.g., in the webserver config) which is most likely unused anyway and thus will not break anything. Source: Vulners.
5. CVE-2025-59049: Mockoon provides a way to design and run mock APIs. Prior to version 9.2.0, a mock API configuration for static file serving follows the same approach presented in the documentation page, where the server filename is generated via templating features from user input is vulnerable to Path Traversal and LFI, allowing an attacker to get any file in the mock server filesystem. The issue may be particularly relevant in cloud-hosted server instances. Version 9.2.0 fixes the... Source: Vulners.

Sponsored by Wallarm API Security Solution

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the cybersecurity landscape is as dynamic as ever. From the interconnected vulnerabilities exposed by the HackerOne and Plex breaches to the innovative research tackling deepfake security challenges, the stories we've covered today highlight the critical importance of staying informed and vigilant.

The incidents involving Trigg Hospital and WebTPA remind us of the significant impact data breaches can have on both individuals and organizations, while the Texas Attorney General's lawsuit against PowerSchool underscores the necessity for robust data protection, especially in educational institutions. Meanwhile, the discovery of the ChillyHell malware and the Qubit Rowhammer attack reveal the evolving nature of threats in both traditional and emerging technologies.

In the realm of vulnerabilities, the issues with danny-avila/librechat, Freshwork, and others highlight the ongoing need for diligent patch management and security best practices. These stories serve as a reminder that cybersecurity is a shared responsibility, requiring constant attention and proactive measures.

If you found today's insights valuable, please consider sharing this newsletter with your friends and colleagues. Together, we can build a more informed and resilient community, ready to tackle the challenges of tomorrow. Stay safe, stay secure, and see you in the next edition of Secret CISO!