Welcome to today's issue of Secret CISO, your daily dose of the most impactful cybersecurity news. Today, we're diving into a series of data breaches that have recently shaken up the digital landscape. First on our list is the data breach at OneBlood, Inc., a Florida-based blood donation organization. The personal information of patients may have been stolen, putting countless individuals at risk.

Next, we turn our attention to the education sector, where a software program used by several school districts in Georgia for record-keeping experienced a data breach last month. This breach has also impacted two school districts in East Tennessee, highlighting the growing cybersecurity risks in America's schools. In Texas, a massive data breach at the Health and Human Services Commission has led to the firing of key personnel. The breach has potentially exposed sensitive information, including Social Security numbers and financial data, affecting citizens across the Lone Star State. In the hospitality industry, hotel management platform Otelier suffered a data breach, exposing the information and hotel reservations of millions of guests. Lastly, we delve into the world of cybersecurity research.

From uncovering vulnerabilities in different tunneling protocols to analyzing the security implications of FIDO2 authentication and synced passkeys, researchers are working tirelessly to secure our digital world. Stay tuned for more updates and remember, knowledge is the first line of defense in cybersecurity.

Data Breaches

1. OneBlood, Inc. Data Breach: OneBlood, a Florida-based blood bank, has suffered a data breach potentially compromising the personal information of its patients. The exact extent of the breach is yet to be determined. Source: Morningstar
2. PowerSchool Data Breach: PowerSchool, a software program used by several school districts in Georgia for record-keeping, experienced a data breach last month. The breach has potentially exposed the data of students and teachers. Source: 11Alive
3. Texas Health and Human Services Commission Data Breach: A massive data breach at the Texas Health and Human Services Commission has led to the firing of some staff. The breach has potentially exposed sensitive data of citizens, including Social Security numbers, Medicaid and Medicare identification numbers, financial information, employment records, and health data. Source: YouTube
4. Newport Harbor Pathology Medical Group Data Breach: Newport Harbor Pathology Medical Group has suffered a data breach, potentially exposing patients' sensitive information. Those affected may be able to take legal action to recover losses due to the breach. Source: Class Action
5. Otelier Data Breach: Hotel management platform Otelier has suffered a data breach, with threat actors breaching its Amazon S3 cloud storage to steal millions of guests' information and hotel reservations. Source: Bleeping Computer

Security Research

1. Major New Online Tunneling Vulnerability: Security researchers have discovered multiple vulnerabilities in different tunneling protocols. These bugs have the potential to allow threat actors to launch DoS attacks and more, putting millions of devices at risk. Source: TechRadar
2. Security Implications of FIDO2 and Synced Passkeys: Recent academic research has revealed new insights into the security considerations surrounding FIDO2 authentication and synced passkeys. This research could have significant implications for the future of online security. Source: Mobile ID World
3. NSF Funding for National Security Research: The University of North Dakota has received funding from the National Science Foundation to expand research into quantum technologies. This research could have significant implications for national security. Source: UND Today
4. Supreme Court Upholds TikTok Ban: The Supreme Court has upheld a ban on TikTok, which could potentially make U.S. users more vulnerable to hackers. This decision has sparked a significant amount of discussion and debate within the cybersecurity community. Source: CT Post
5. Mercedes-Benz Head Unit Security Research: Security researchers have performed a detailed analysis of the first generation MBUX subsystems in Mercedes-Benz vehicles. Their findings could have significant implications for the future of automotive cybersecurity. Source: Securelist

Top CVEs

1. CVE-2017-13322 - Local Denial of Service in PhoneInterfaceManager.java: A logic error in the endCallForSubscriber function of PhoneInterfaceManager.java could potentially prevent access to emergency services, leading to a local denial of service. No additional execution privileges or user interaction are required for exploitation. Source: CVE-2017-13322
2. CVE-2018-9389 - Local Privilege Escalation in ip6_output.c: A heap buffer overflow in ip6_append_data of ip6_output.c could potentially lead to code execution and local privilege escalation. No additional execution privileges or user interaction are required for exploitation. Source: CVE-2018-9389
3. CVE-2018-9384 - Local Information Disclosure in Multiple Locations: An unusual root cause in multiple locations could potentially lead to bypassing of KASLR, leading to local information disclosure. System execution privileges are required for exploitation and no user interaction is needed. Source: CVE-2018-9384
4. CVE-2018-9383 - Local Information Disclosure in asn1_decoder.c: A missing bounds check in asn1_ber_decoder of asn1_decoder.c could potentially lead to an out of bounds read, leading to local information disclosure. System execution privileges are required for exploitation and no user interaction is needed. Source: CVE-2018-9383
5. CVE-2018-9464 - Local Privilege Escalation in Multiple Locations: A missing permission check in multiple locations could potentially allow access to read protected files, leading to local privilege escalation. No additional execution privileges or user interaction are required for exploitation. Source: CVE-2018-9464

API Security

1. CVE-2025-23208 - Group Membership Revocation Ignored in Zot: Zot, an OCI image registry, had an issue where group data stored for users in the boltdb database (meta.db) was an append-list, meaning group revocations/removals were ignored in the API. This issue has been addressed in version 2.1.2. Source: Vulners
2. CVE-2025-23202 - Injection Vulnerability in Bible Module: Bible Module, a tool designed for ROBLOX developers, had a vulnerability in the FetchVerse and FetchPassage functions due to the absence of input validation. This could allow an attacker to manipulate the API request URLs, potentially leading to unauthorized access or data tampering. This issue has been addressed in version 0.0.3. Source: Vulners
3. CVE-2024-50967 - Incorrect Access Control in Becon DATAGerry: The /rest/rights/ REST API endpoint in Becon DATAGerry through 2.2.0 contained an Incorrect Access Control vulnerability. An attacker could remotely access this endpoint without authentication, leading to unauthorized disclosure of sensitive information. Source: Vulners

Sponsored by Wallarm API Security Solution

Final Words

That's it for today's edition of Secret CISO. We've covered a lot of ground, from data breaches affecting OneBlood and PowerSchool to the cybersecurity risks in America's schools. Remember, staying informed is the first step in protecting your organization from cyber threats.

If you found this newsletter helpful, please consider sharing it with your colleagues and friends.

Together, we can build a more secure digital world. Stay safe, stay informed, and see you in the next edition of Secret CISO.