Welcome to today's issue of Secret CISO, your daily dose of cybersecurity news. Today, we're looking at a series of data breaches impacting schools across the U.S. and Canada, from Philadelphia to Bozeman. PowerSchool, a major education software company, has reported a security breach that may have compromised student information, including social security numbers and medical data. In other news, patient information may have been breached at a doctors' practice in Utica, and BayMark Health Services has experienced a data breach following a cyberattack. On the research front, Facebook has awarded a $100,000 bug bounty to a security researcher for discovering a critical vulnerability.

Meanwhile, Cato Networks is set to simulate a real-life network breach at NDC Security 2025, and researchers have developed a way to automatically translate C code to memory-safe Rust. In the world of sports, the NFL Giants Green Bay have had their online defense breached, and as the Super Bowl approaches, New Orleans has brought on a security expert following a deadly attack. Stay tuned for more updates on these stories and other breaking cybersecurity news. Stay safe, stay informed with Secret CISO.

Data Breaches

1. Data Breach Impacts Lower Merion School District: A recent hack at the Lower Merion School District has led to a warning being sent out to families. The extent of the data breach is currently unknown. Source: NBC10 Philadelphia
2. PowerSchool Data Breach at SCSD No. 1: PowerSchool has determined that sensitive information such as social security numbers and medical information was taken during a data breach. The district is currently working on mitigating the impact. Source: SweetwaterNOW
3. Franklin West Supervisory Union Data Breach: A recent data security breach has affected a northern Vermont school district, Franklin West Supervisory Union. The details of the breach are yet to be disclosed. Source: WPTZ
4. Data Breach Impacts Bozeman School District: A recent data breach is impacting schools across the U.S. and Canada, including the Bozeman School District. The extent and nature of the breach are currently under investigation. Source: YouTube
5. Data Breach at BayMark Health Services: BayMark Health Services filed a notice of data breach with the Attorney General of California after an apparent cyberattack. The extent of the breach and the number of patients affected are yet to be disclosed. Source: JD Supra

Security Research

1. NFL Giants Green Bay Have Their Online Defense Breached: The NFL Giants Green Bay's online defense was recently breached, reminding individuals of their right to obtain a police report in such incidents. Source: Information Security Buzz
2. New Orleans brings on security expert one week after deadly attack as Super Bowl approaches: In the wake of a deadly attack and impending Super Bowl, New Orleans has hired a security expert to address safety concerns and potential lawsuits. Source: CBS News
3. Facebook Awarded $100,000 for Bug that Allows Internal Access to Server: Facebook has awarded a $100,000 bug bounty to security researcher Ben Sadeghipour for discovering a critical vulnerability in the company's ad platform. Source: Cybersecurity News
4. Researchers build a bridge from C to Rust and memory safety: Computer scientists from Microsoft and Inria have developed a way to automatically translate C code to memory-safe Rust, enhancing security. Source: InfoWorld
5. Researcher Discovers License Plate Scanners Used By Police Are Not Secure: A security researcher has discovered that if police license plate scanners are not set up properly, they could be publishing all of their information to the public. Source: Auto Spies

Top CVEs

1. Improper access control in Azure SaaS Resources (CVE-2025-21380): An authorized attacker can exploit this vulnerability to disclose sensitive information. The vulnerability is due to improper access control in Azure SaaS Resources. Source: CVE-2025-21380
2. Critical vulnerability in Tenda AC6 15.03.05.16 (CVE-2025-0349): This vulnerability can lead to a stack-based buffer overflow due to the manipulation of the argument src in the function GetParentControlInfo of the file /goform/GetParentControlInfo. The exploit has been disclosed to the public and may be used. Source: CVE-2025-0349
3. Information disclosure vulnerability in IBM OpenPages 9.0 (CVE-2024-43176): An authenticated user can exploit this vulnerability to obtain sensitive information such as configurations that should only be available to privileged users. Source: CVE-2024-43176
4. Server-Side Request Forgery (SSRF) vulnerability in Microsoft Purview (CVE-2025-21385): An authorized attacker can exploit this vulnerability to disclose information. The vulnerability is due to a Server-Side Request Forgery (SSRF) in Microsoft Purview. Source: CVE-2025-21385
5. Arbitrary file uploads vulnerability in SKT Page Builder plugin for WordPress (CVE-2024-12848): This vulnerability allows authenticated attackers to upload arbitrary files due to a missing capability check on the 'addLibraryByArchive' function. This can lead to remote code execution. Source: CVE-2024-12848

API Security

1. Vaultwarden Authenticated Reflected XSS Vulnerability: Vaultwarden v1.32.5 was discovered to contain an authenticated reflected cross-site scripting (XSS) vulnerability. This vulnerability could allow an attacker to inject malicious scripts into webpages viewed by other users. Source: vulners.com
2. Vaultwarden User Impersonation Vulnerability: An issue in Vaultwarden prior to v1.32.5 allows attackers to impersonate users, including Administrators, via a crafted authorization. This could potentially lead to unauthorized access and control over user accounts. Source: vulners.com
3. Drupal OAuth & OpenID Connect Single Sign On XSS Vulnerability: A Cross-site Scripting (XSS) vulnerability in Drupal OAuth & OpenID Connect Single Sign On – SSO (OAuth/OIDC Client) allows Cross-Site Scripting (XSS). This issue could allow an attacker to inject malicious scripts into webpages viewed by other users. Source: vulners.com
4. Strawberry GraphQL Type Confusion Vulnerability: A type confusion vulnerability exists in Strawberry GraphQL's relay integration that affects multiple ORM integrations (Django, SQLAlchemy, Pydantic). This vulnerability could lead to information disclosure if the alternate type exposes sensitive fields and potential privilege escalation if the alternate type contains data intended for restricted access. Source: vulners.com
5. Chatwoot SQL Injection Vulnerability: Prior to 3.16.0, conversation and contact filters endpoints in Chatwoot did not sanitize the input of query_operator passed from the frontend or the API. This provided any actor who is authenticated, an attack vector to run arbitrary SQL within the filter query by adding a tautological WHERE clause. Source: vulners.com

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. As we've seen, data breaches are impacting schools and healthcare providers across the nation, highlighting the importance of robust cybersecurity measures. Remember, it's not just about protecting your own data, but also about safeguarding the information of those who trust you with their details. Stay vigilant, stay informed, and most importantly, stay secure.

If you found this newsletter helpful, please consider sharing it with your colleagues and friends to help them stay secure too. Until tomorrow, keep your data close and your security closer!