Welcome to today's issue of Secret CISO, where we bring you the most impactful cybersecurity news from around the globe.

Today, we delve into the US's proposal to ban Chinese drones over national security risks, highlighting the ongoing concerns about security threats from China-based companies. We also discuss the thousands of buggy BeyondTrust systems that remain exposed, even after the vulnerability was added to the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities list. In encryption news, we explore the 'done and dusted' backdoor debate and the new mobile security guidelines released by CISA, focusing on encryption and FIDO authentication. We also examine the privacy concerns surrounding Tesla's data, which helped police after a Las Vegas truck explosion, and the draft Data Protection Rules 2025, which cover children on social media, breach notifications, and more.

In the world of cybercrime, we look at the delivery of PLAYFULGHOST via phishing and SEO poisoning in Trojanized VPN Apps, and the $95 million settlement of the 'Hey Siri' lawsuit by Apple. We also cover the US Treasury Department's sanctioning of a Chinese cybersecurity firm linked to Flax Typhoon APT, the mandatory parental consent for children's social media accounts under the draft Data Protection Rules, and the new HIPAA Cybersecurity Rules.

Finally, we delve into the latest research from security experts on various vulnerabilities, including the Nuclei vulnerability enabling signature bypass and code execution, the critical flaw in Virtuals Protocol, and the double clickjacking that can allow hackers to hijack your accounts even without your knowledge. Stay tuned for more updates and stay safe in the digital world!

Data Breaches

1. US Proposes Ban on Chinese Drones Over National Security Risks: US lawmakers have raised concerns about security risks from drones supplied by China-based companies, leading to a proposed ban. Source: MediaNama
2. Thousands of Buggy BeyondTrust Systems Remain Exposed: A vulnerability in BeyondTrust systems was added to the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities list, leaving thousands of systems exposed. Source: Dark Reading
3. Tesla Data Helped Police After Las Vegas Truck Explosion: Tesla's data collection from its self-driving cars has raised privacy concerns, especially after it was used to assist police following a truck explosion in Las Vegas. Source: WPRI
4. PLAYFULGHOST Delivered via Phishing and SEO Poisoning in Trojanized VPN Apps: The PLAYFULGHOST malware is being delivered through phishing and SEO poisoning in Trojanized VPN apps, posing a significant security threat. Source: The Hacker News
5. US Treasury Department Sanctioned Chinese Cybersecurity Firm Linked to Flax Typhoon APT: The US Treasury Department has sanctioned a Chinese cybersecurity firm linked to the Flax Typhoon APT, following a data breach that exposed customer credit card data. Source: Security Affairs

Security Research

1. Insecurity in Pakistan: Islamabad vows to eliminate Terrorism: Amidst a surge in violence, Pakistan's security research institutions are working to combat terrorism. Shehbaz Sharif, a key figure in the country's security apparatus, has pledged to eliminate the threat. Source: Khaama Press
2. Draft Rules to Operationalise Digital Personal Data Protection Act Out: Security researcher Karan Saini has highlighted potential issues with the new draft rules for the Digital Personal Data Protection Act, including exemptions that allow data to be processed under certain conditions. Source: The Wire
3. Gmail, Outlook and Apple users urged to watch out for this new email scam: A security researcher at eBay has warned of a new email scam targeting users of Gmail, Outlook, and Apple. The scam utilizes generative AI tools, making it more sophisticated and harder to detect. Source: New York Post
4. Double Clickjacking Can Allow Hackers to Hijack Your Accounts Even without Your Knowledge: Security researcher Paulos Yibelo has warned of a new threat known as double-click hijacking, which can lead to account theft through browser manipulation. Source: Digital Information World
5. Researchers Uncover Nuclei Vulnerability Enabling Signature Bypass and Code Execution: A high-severity security flaw has been discovered in ProjectDiscovery's Nuclei, a popular open-source vulnerability scanner. The flaw could potentially allow for signature bypass and code execution. Source: The Hacker News

Top CVEs

1. CVE-2025-0212 - SQL Injection in Campcodes Student Grading System: A critical vulnerability was found in Campcodes Student Grading System 1.0, affecting the file /view_students.php. The manipulation of the argument id leads to SQL injection, which can be initiated remotely. Source: Vulners
2. CVE-2024-12279 - CSRF in WP Social AutoConnect Plugin: The WP Social AutoConnect plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on a function. This allows unauthenticated attackers to inject malicious web scripts via a forged request. Source: Vulners
3. CVE-2024-12195 - SQL Injection in WP Project Manager Plugin: The WP Project Manager plugin for WordPress is vulnerable to SQL Injection via the 'project_id' parameter of the /wp-json/pm/v2/projects/2/task-lists REST API endpoint. This allows authenticated attackers to append additional SQL queries into existing queries to extract sensitive information. Source: Vulners
4. CVE-2025-0213 - Unrestricted Upload in Campcodes Project Management System: A critical vulnerability was found in Campcodes Project Management System 1.0, affecting the file /forms/update_forms.php?action=change_pic2&id=4. The manipulation of the argument file leads to unrestricted upload, which can be initiated remotely. Source: Vulners
5. CVE-2025-0210 - SQL Injection in Campcodes School Faculty Scheduling System: A critical vulnerability was found in Campcodes School Faculty Scheduling System 1.0, affecting the file /admin/ajax.php?action=login. The manipulation of the argument username leads to SQL injection, which can be launched remotely. Source: Vulners

Sponsored by Wallarm API Security Solution

Final Words

That's it for today's edition of Secret CISO. We've covered a lot of ground, from the US's proposed ban on Chinese drones to the ongoing debate over encryption backdoors. We've also touched on the new mobile security guidelines from CISA, the potential privacy concerns surrounding Tesla's data collection, and the latest data breach notifications. Remember, in the world of cybersecurity, knowledge is power. So, keep yourself updated and stay one step ahead of the threats. If you found this newsletter helpful, please consider sharing it with your friends and colleagues.

Let's work together to make the digital world a safer place for everyone. Stay safe and see you tomorrow for more cybersecurity news and insights.