Welcome to today's edition of Secret CISO, where we unravel the latest in cybersecurity breaches and vulnerabilities, painting a vivid picture of the current threat landscape.

Our journey begins in Ohio, where a data breach at the Ohio Medical Alliance has sparked fears over the security of sensitive medical information. This incident is a stark reminder of the vulnerabilities in healthcare data protection.

Meanwhile, Google is urging its 2.5 billion Gmail users to bolster their account security following a breach linked to Salesforce, highlighting the critical need for robust password practices.

In the financial sector, Carter Credit Union faces legal scrutiny after a data breach exposed personal information, raising alarms about the safeguarding of sensitive data.

Across the globe, Scotch College in Australia is grappling with a cyberattack that may have compromised children's medical and passport details, underscoring the far-reaching impact of cyber threats on educational institutions.

In a chilling development, a ransomware attack on a Dutch lab threatens to leak the data of 941,000 cervical cancer screening patients, illustrating the dire consequences of cybercrime in healthcare.

On the technology front, Google Research delves into the security challenges posed by the rapid evolution of AI, while Apache DolphinScheduler users are urged to update immediately to patch a critical vulnerability.

In the realm of education, a revamped cyber security course at Federation University TAFE aims to better equip students for the evolving landscape, while Kaspersky's CTF competition celebrates emerging talent in cybersecurity.

Finally, we explore a series of vulnerabilities, from Sitecore's cache poisoning risk to Cisco's file upload flaw, each a reminder of the ever-present need for vigilance and timely updates in the cybersecurity domain.

Stay informed, stay secure, and join us as we navigate the complexities of today's cyber world.

Data Breaches

1. Ohio Medical Alliance Data Breach: The database of Ohio Medical Alliance LLC, also known as Ohio Marijuana Card, was compromised, prompting an investigation. This breach has raised concerns about the security of sensitive medical information. Source.
2. Google Breach Puts Gmail Users at Risk: Google is advising its 2.5 billion Gmail users to enhance their account security following a breach linked to Salesforce. This incident has heightened the urgency for users to change passwords and adopt stronger security measures. Source.
3. Carter Credit Union Data Breach: Personal information was exposed in a data breach at Carter Credit Union, leading to legal investigations. The breach has sparked concerns over the protection of sensitive personal and health information. Source.
4. Scotch College Cyberattack: A cyberattack on Scotch College has potentially compromised children's medical information and passport details. The school has issued an apology and is working to address the breach's impact on students, staff, and alumni. Source.
5. Dutch Lab Cancer Screening Hack: A ransomware attack on a Dutch laboratory performing cervical cancer tests has affected 941,000 victims. The ransomware gang Nova is threatening to leak patient data on the dark web, escalating the urgency of the situation. Source.

Security Research

1. Security Assurance in the Age of Generative AI - Google Research: Artificial Intelligence (AI) is rapidly evolving, characterized by experimentation and quick iteration, which can present challenges for security assurance. This research explores the implications of AI advancements on security protocols and the necessary measures to ensure robust protection in the face of these technological developments. Source: Google Research.
2. Apache DolphinScheduler Vulnerability Patched — Update Immediately - GBHackers: A critical vulnerability in Apache DolphinScheduler, known for its extensibility and fault tolerance, was reported by a security researcher. Users are urged to update immediately to protect against potential exploits that could compromise system integrity. Source: GBHackers.
3. Flexible and inclusive: TAFE teacher transforms cyber security course | News and articles: A cyber security expert from Federation University TAFE has revamped a cyber security course to be more flexible and inclusive, drawing from his experience as a data scientist. This transformation aims to better equip students with the skills needed in the evolving cyber security landscape. Source: News and articles.
4. Kaspersky{CTF} determines five winners of regional leagues: Kaspersky's Capture The Flag (CTF) competition highlighted the immense talent in the cyber security field, with five winners emerging from regional leagues. This event underscores the importance of fostering skills and innovation in cyber security research. Source: Kaspersky.
5. New Report Identifies Policy Options to Improve Federal Research Regulations, Bolster U.S. Scientific Competitiveness: A new report outlines policy options to enhance federal research regulations, aiming to strengthen the U.S. scientific enterprise. These recommendations are crucial for maintaining national security and advancing technological innovation. Source: National Academies.

Top CVEs

1. CVE-2024-56189: In SAEMM_DiscloseMsId of SAEMM_RadioMessageCodec.c, there is a possible out of bounds read due to a missing bounds check. This vulnerability could lead to remote information disclosure post authentication without needing additional execution privileges or user interaction. Source: Vulners.
2. CVE-2024-56190: In wl_update_hidden_ap_ie() of wl_cfgscan.c, a possible out of bounds write due to improper input validation could lead to local escalation of privilege. This vulnerability does not require additional execution privileges or user interaction. Source: Vulners.
3. CVE-2025-36887: In wl_cfgscan_update_v3_schedscan_results() of wl_cfgscan.c, an incorrect bounds check could lead to a possible out of bounds write, resulting in local escalation of privilege. No additional execution privileges or user interaction are needed. Source: Vulners.
4. CVE-2025-53693: A vulnerability in Sitecore Experience Manager (XM) and Experience Platform (XP) allows cache poisoning due to the use of externally-controlled input to select classes or code. This affects versions from 9.0 through 9.3 and 10.0 through 10.4. Source: Vulners.
5. CVE-2025-53694: Sitecore Experience Manager (XM) and Experience Platform (XP) are affected by an exposure of sensitive information to unauthorized actors. This vulnerability impacts versions from 9.2 through 10.4. Source: Vulners.

API Security

1. XWiki Platform Configuration File Access via Webjars API: A vulnerability in XWiki Platform allows unauthorized access to configuration files through the webjars API. This issue affects versions 6.1-milestone-2 through 16.10.6 and has been patched in version 17.4.0-rc-1 and 16.10.7. The vulnerability can be exploited by encoding URLs to access sensitive configuration files. Source: Vulners.
2. Cisco EPNM Arbitrary File Upload Vulnerability: A flaw in the Cisco Evolved Programmable Network Manager (EPNM) allows authenticated attackers to upload arbitrary files due to improper validation in the web-based management interface. This vulnerability can be exploited by sending a crafted file upload request to a specific API endpoint, potentially compromising the affected system. Source: Vulners.
3. Cisco EPNM and Prime Infrastructure Information Disclosure: This vulnerability in Cisco EPNM and Prime Infrastructure allows low-privileged users to access sensitive configuration information due to improper request validation at API endpoints. Exploiting this flaw requires access as a low-privileged user, potentially exposing restricted information. Source: Vulners.
4. CKEditor 5 XSS Vulnerability in Clipboard Package: A Cross-Site Scripting (XSS) vulnerability in CKEditor 5's clipboard package can be triggered by specific user actions, allowing unauthorized JavaScript execution. This vulnerability affects installations with certain editor configurations and has been patched in version 46.0.3 and 45.2.2. Source: Vulners.
5. Jenkins Global-Build-Stats Plugin Permission Check Flaw: The Jenkins global-build-stats Plugin lacks proper permission checks in its REST API endpoints, allowing attackers with Overall/Read permission to enumerate graph IDs. This issue has been addressed in a subsequent plugin update. Source: Vulners.

Sponsored by Wallarm API Security Solution

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the digital landscape is as dynamic as ever, with new challenges and innovations emerging daily. From the alarming breaches affecting medical and personal data to the evolving threats in software vulnerabilities, staying informed is crucial for safeguarding our digital world.

We've also explored the exciting advancements in cybersecurity education and the importance of fostering talent through competitions like Kaspersky's Capture The Flag. These efforts are vital in preparing the next generation of cybersecurity experts to tackle the challenges ahead.

In the age of generative AI, as highlighted by Google's research, the need for robust security protocols is more pressing than ever. As we continue to navigate these complexities, remember that knowledge is our best defense.

If you found today's insights valuable, please share this newsletter with your friends and colleagues. Together, we can build a more secure digital future. Stay vigilant, stay informed, and we'll see you in the next edition of Secret CISO!