Good morning! In today's edition of Secret CISO, we delve into the alarming wave of data breaches impacting schools across the nation. From Helena Public Schools to Alabama districts, hackers are gaining unauthorized access to sensitive information, demanding ransom to prevent leaks. PowerSchool, a cloud-based software, seems to be the common denominator in these breaches, raising questions about its security measures. In other news, Robinhood is set to pay a hefty $45 million SEC settlement over a data breach and other violations, further highlighting the importance of robust cybersecurity measures in the financial sector. On the technical front, security researchers have been busy uncovering vulnerabilities and potential threats.

A researcher has demonstrated how to break into the ACE3 USB-C controller, a crucial component used in the iPhone 15's USB-C port. Meanwhile, Microsoft's AI red team has released a white paper detailing the safety and security challenges posed by generative AI products. Stay tuned for more updates and remember, in the world of cybersecurity, vigilance is key.

Data Breaches

1. Helena Public Schools impacted by nationwide data breach: Helena Public Schools have alerted parents to a potential data breach that may have compromised their personal information. The breach is part of a larger, nationwide cyber incident. Source: YouTube
2. School Software Company Target of Latest Mass Data Breach: Hackers have gained access to a school software company's data, including information about students and their parents. The hackers are demanding a ransom to prevent the release of the stolen data. Source: Governing Magazine
3. PowerSchool data breach affects Alabama districts: Alabama school districts have been affected by a data breach at PowerSchool, a cloud-based software provider. The breach is part of a larger pattern of cyber incidents affecting various sectors, including education and defense. Source: CBS 42
4. DATA BREACH ALERT: Edelson Lechtzin LLP Is Investigating: Edelson Lechtzin LLP is investigating claims on behalf of OLA Consulting Engineers, PC customers whose data may have been compromised in a data breach. Source: GlobeNewswire
5. Robinhood to Pay $45 Million SEC Settlement Over Data Breach, Other Violations: Robinhood has agreed to pay a $45 million settlement to the SEC over a data breach and other violations. The 2021 hack exposed millions of customer names and emails. Source: WSJ

Security Research

1. Malicious NPM Packages Targeting Cursor.com: A security researcher from Snyk has demonstrated a misconfiguration in the private NPM registry by deploying malicious NPM packages targeting Cursor.com. This highlights the importance of proper configuration and security measures in private registries. Source: Hacker News
2. USB-C Vulnerability in Apple Devices: A security researcher has managed to break into the ACE3 USB-C controller, a crucial component used in the iPhone 15's USB-C port. This raises concerns about the security of Apple's USB-C devices and the potential for unauthorized access. Source: Firstpost
3. Overstated MacOS Encryption Malware Threat: Security researcher Patrick Wardle has stated that the media has overstated the threat of the latest MacOS encryption malware. The malware authors mimicked Apple's encryption, but the actual harm is limited. Source: Decrypt
4. Exploitation of Fortinet Firewalls: Security researchers have observed intrusions exploiting Fortinet firewalls with a probable 0-day vulnerability. This highlights the importance of continuous monitoring and updating of security systems to prevent such intrusions. Source: The Register
5. Need for Human Expertise in AI Red Teaming: A new white paper from Microsoft Corp.'s AI red team details the safety and security challenges posed by generative AI. The research underscores the importance of human expertise in identifying and mitigating these challenges. Source: SiliconANGLE

Top CVEs

1. Incorrect Access Control in Cfx.re FXServer: Unauthenticated users can modify and read arbitrary user data via exposed API in Cfx.re FXServer v9601 and earlier versions. Users are advised to update their software to the latest version. Source: CVE-2024-46310.
2. Access Validation Issue in Apache CloudStack: Users with access or prior knowledge of resource UUIDs can list and add comments to such resources, potentially causing loss of confidentiality. CloudStack admins can disallow listAnnotations and addAnnotation API access to non-admin roles as an interim solution. Source: CVE-2025-22828.
3. Authorization Bypass in OpenFGA: OpenFGA v1.3.8 to v1.8.2 are vulnerable to authorization bypass under certain conditions. Users are advised to upgrade to v1.8.3. Source: CVE-2024-56323.
4. Server-Side Request Forgery in Veeam Backup for Microsoft Azure: This vulnerability may allow an unauthenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. Source: CVE-2025-23082.
5. Improper GPU System Calls: Software installed and run as a non-privileged user may conduct improper GPU system calls resulting in platform instability. Users are advised to update their software to the latest version. Source: CVE-2024-47897.

API Security

1. OpenFGA Authorization Bypass (CVE-2024-56323): OpenFGA versions v1.3.8 to v1.8.2 are vulnerable to an authorization bypass under certain conditions. This vulnerability arises when calling Check API or ListObjects with a model that uses conditions, and when OpenFGA is configured with caching enabled. Users are advised to upgrade to v1.8.3 to mitigate this issue. Source: vulners.com.
2. Incorrect Access Control in Cfx.re FXServer (CVE-2024-46310): Cfx.re FXServer v9601 and earlier versions have an incorrect access control issue that allows unauthenticated users to modify and read arbitrary user data via the exposed API. Users are advised to upgrade to the latest version. Source: vulners.com.
3. CSRF Vulnerability in Teedy (CVE-2025-22963): Teedy versions up to 1.11 are susceptible to a CSRF vulnerability that could lead to account takeover via POST. Users are advised to upgrade to the latest version to mitigate this issue. Source: vulners.com.
4. Access Validation Issue in Apache CloudStack (CVE-2025-22828): Apache CloudStack versions from 4.16.0 have an access validation issue that allows users with access or prior knowledge of resource UUIDs to list and add comments (annotations) to such resources. This could lead to potential loss of confidentiality if the comments contain privileged information. CloudStack admins are advised to disallow listAnnotations and addAnnotation API access to non-admin roles as an interim measure. Source: vulners.com.

Sponsored by Wallarm API Security Solution

Final Words

That's it for today's edition of Secret CISO. The recent data breaches in schools across the nation serve as a stark reminder of the importance of robust cybersecurity measures. It's not just about protecting data, but also about safeguarding the future of our children. Remember, cybersecurity isn't a one-person job. It takes a village to ensure the safety of our digital landscape. So, share this newsletter with your friends, colleagues, and fellow cybersecurity enthusiasts.

Let's spread the word and make our digital world a safer place. Stay safe and see you tomorrow with more updates from the world of cybersecurity.