Welcome to today's edition of Secret CISO, where we unravel the intricate web of cybersecurity challenges that have surfaced across various sectors. In this issue, we delve into a series of alarming data breaches and vulnerabilities that underscore the critical need for enhanced security measures.

We begin with the unsettling news of a data breach at TeamstersCare, affecting over 21,000 individuals' personal and health information. This incident is a stark reminder of the vulnerabilities in safeguarding sensitive data. Meanwhile, Chess.com faces a similar predicament, with thousands of users' information exposed, revealing gaps in their security framework.

The educational sector is not spared, as Texas sues PowerSchool over a breach impacting 880,000 students, highlighting the urgent need for robust data protection in educational technology. In the corporate world, Workiva discloses a breach linked to a third-party CRM attack, emphasizing the risks associated with external service providers.

Adding to the gravity, a massive breach at TransUnion has compromised the personal information of over 4.4 million customers, raising significant concerns about the security practices of credit bureaus. On the software front, a macOS flaw could have exposed Keychain data, while the emergence of HexStrike AI showcases the evolving threat landscape in exploiting Citrix vulnerabilities.

Security researchers have identified a zero-day vulnerability in SiteCore products, urging organizations to remain vigilant. Meanwhile, hacked routers continue to linger on the internet, posing long-term risks, and popular Android VPN apps are found to have security flaws and potential China links, raising privacy concerns.

In the realm of vulnerabilities, we explore several critical CVEs, including issues in Android's UninstallerActivity.java and BroadcastController.java, which could lead to local privilege escalation. Additionally, the Obsidian GitHub Copilot Plugin and FreePBX API OAuth Key vulnerabilities highlight the importance of secure token storage and authentication processes.

Finally, we examine the Argo CD API Token Repository Credential Exposure and the pgAdmin COOP vulnerability, both underscoring the need for stringent permission controls and robust cross-origin policies. The dotCMS SQL Injection vulnerability further emphasizes the necessity of input sanitization in APIs.

Stay informed and vigilant as we navigate these complex cybersecurity challenges together.

Data Breaches

1. TeamstersCare Data Breach Affects PII & PHI of over 21,000: On August 1, 2025, Teamsters Union 25 Health Services & Insurance Plan (TeamstersCare) identified suspicious activity that led to a data breach affecting the personal and health information of over 21,000 individuals. The breach has raised concerns about the security measures in place to protect sensitive data. Source: Claim Depot.
2. Chess.com Data Breach Affects Thousands of Users: A data breach at Chess.com exposed the personal information of thousands of users, including names and other unspecified data elements. The breach was made public by a threat actor, highlighting vulnerabilities in the platform's security. Source: Claim Depot.
3. Texas Sues PowerSchool Over K-12 Data Breach Exposing 880K: The Texas Attorney General has filed a lawsuit against PowerSchool after a data breach exposed the personal information of over 880,000 Texas students. This incident underscores the critical need for robust data protection measures in educational technology. Source: Houston Chronicle.
4. Workiva Discloses Customer Data Breach Tied to Third-Party CRM Attack: Workiva has disclosed a data breach linked to a third-party CRM attack, affecting customer data. While the scope of the breach appears limited, it highlights ongoing risks associated with third-party service providers. Source: Teiss.
5. More Than 4.4 Million Exposed in Credit Bureau TransUnion Breach: A data breach at TransUnion has exposed sensitive personal information, including names and Social Security numbers, of over 4.4 million customers. This incident raises significant concerns about data security practices within credit bureaus. Source: CNET.

Security Research

1. macOS Sequoia flaw could have exposed Keychain data including passwords: At Nullcon Berlin 2025, security researcher Koh M. Nakagawa from FFRI Security disclosed a vulnerability in Apple's gcore debugging utility that could have exposed sensitive Keychain data, including passwords. This flaw highlights the importance of continuous security assessments even in well-established systems. Source: Apple Insider.
2. Crims boast of using HexStrike AI against Citrix bugs: Security researcher Muhammad Osama released HexStrike AI on GitHub, an offensive security utility that integrates with over 150 security tools. This tool has been reportedly used to exploit Citrix vulnerabilities, showcasing the evolving landscape of AI in cybersecurity threats. Source: The Register.
3. Researchers warn of zero-day vulnerability in SiteCore products: Security researchers from Google have identified a zero-day vulnerability in the SiteCore content management system. This discovery underscores the critical need for organizations to stay vigilant and update their systems promptly to mitigate potential exploits. Source: Cybersecurity Dive.
4. Hacked Routers Linger on the Internet for Years, Data Shows: Emily Austin, a principal security researcher at Censys, found several hundred Ubiquiti network routers with hacked banners. This research highlights the long-term risks of unsecured devices on the internet and the importance of regular security audits. Source: Dark Reading.
5. Popular Android VPN apps found to have security flaws and China links: Researchers examined the 100 most-downloaded VPNs and discovered security flaws and potential China links in many of them. This finding raises concerns about the privacy and security of widely-used VPN applications. Source: Malwarebytes.

Top CVEs

1. CVE-2025-0087: In the onCreate method of UninstallerActivity.java, a missing permission check allows for the uninstallation of apps belonging to other users. This vulnerability can lead to local privilege escalation without requiring additional execution privileges or user interaction. Source: Vulners.
2. CVE-2025-26426: The BroadcastController.java file contains improper input validation in the registerReceiverWithFeatureTraced function, enabling unauthorized receipt of broadcasts intended for the "android" package. This flaw can result in local privilege escalation without additional execution privileges or user interaction. Source: Vulners.
3. CVE-2025-26455: A heap buffer overflow in multiple functions of NdkMediaCodec.cpp leads to a potential out-of-bounds write. This vulnerability may cause local privilege escalation without requiring additional execution privileges or user interaction. Source: Vulners.
4. CVE-2025-26436: The clearAllowBgActivityStarts method in PendingIntentRecord.java allows background activity launches due to a BAL Bypass. This vulnerability can lead to local privilege escalation without additional execution privileges or user interaction. Source: Vulners.
5. CVE-2023-35657: In the bta_av_config_ind function of bta_av_aact.cc, a type confusion issue results in a possible out-of-bounds read. This flaw can lead to local information disclosure without requiring additional execution privileges or user interaction. Source: Vulners.

API Security

1. Obsidian GitHub Copilot Plugin API Token Vulnerability: Obsidian GitHub Copilot Plugin versions prior to 1.1.7 store GitHub API tokens in cleartext form, potentially allowing unauthorized operations on linked GitHub accounts. This vulnerability highlights the importance of secure token storage to prevent unauthorized access. Source: Vulners.
2. FreePBX API OAuth Key Vulnerability: The FreePBX API module, in certain versions, uses an identical OAuth private key across multiple systems, allowing attackers to forge JWT tokens and bypass authentication. This vulnerability underscores the risks of using shared keys in authentication processes. Source: Vulners.
3. Argo CD API Token Repository Credential Exposure: Argo CD API tokens with project-level permissions can retrieve sensitive repository credentials through the project details API endpoint. This issue affects various versions and emphasizes the need for strict permission controls on API tokens. Source: Vulners.
4. pgAdmin COOP Vulnerability: pgAdmin versions up to 9.7 are affected by a Cross-Origin Opener Policy (COOP) vulnerability, which could lead to unauthorized account access and data breaches. This highlights the importance of implementing robust cross-origin policies. Source: Vulners.
5. dotCMS SQL Injection Vulnerability: dotCMS versions 24.03.22 and later have a Boolean-based blind SQL injection vulnerability in the /api/v1/contenttype endpoint. This flaw allows attackers to extract data and escalate privileges, showcasing the critical need for input sanitization in APIs. Source: Vulners.

Sponsored by Wallarm API Security Solution

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the digital landscape is fraught with challenges and vulnerabilities. From data breaches affecting millions to critical security flaws in widely-used systems, the need for robust cybersecurity measures has never been more pressing. Each story serves as a reminder of the importance of vigilance, continuous assessment, and proactive defense strategies in safeguarding our digital world.

We hope you found today's insights valuable and thought-provoking. If you did, please consider sharing this newsletter with your friends and colleagues. By spreading awareness, we can collectively enhance our understanding and response to the ever-evolving cybersecurity threats.

Thank you for joining us today. Stay informed, stay secure, and we'll see you in the next edition of Secret CISO!