Welcome to today's issue of Secret CISO, where we bring you the latest and most impactful cybersecurity news.

Today, we're diving into the BeyondTrust Zero-Day breach that exposed 17 SaaS customers via a compromised API key, a massive insurance data breach affecting 850,000 people, and the PowerSchool data breach affecting students and teachers across multiple districts. We'll also discuss the Community Health Center data breach exposing personal information, the massive school data leak impacting some St. Louis area districts, and the D'Youville data breach in 2023 that exposed sensitive patient and financial information.

In other news, Keeper Security highlights the urgent need for strong credential management, another healthcare data breach compromised a million patients' information, and an audit reveals PowerSchool's security failure in Rochester City School District data breach. Stay tuned for more updates on these stories and other cybersecurity news. Stay safe and secure!

Data Breaches

1. BeyondTrust Zero-Day Breach Exposes 17 SaaS Customers via Compromised API Key: A zero-day breach at BeyondTrust has exposed 17 of its SaaS customers. The breach was due to a compromised API key. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this to its list of known vulnerabilities. Source: The Hacker News
2. 850000 people exposed in massive insurance data breach: Insurance giant Globe Life has revealed that a data breach in 2024 may have affected more customers than previously thought, exposing full names, dates of birth, and social security numbers of approximately 850,000 people. Source: Tom's Guide
3. PowerSchool offers help to Wake County students, teachers affected by data breach: PowerSchool is offering assistance to students and teachers in Wake County affected by a data breach. The breach exposed social security numbers, home phone numbers, and work-related email addresses. Source: CBS 17
4. Community Health Center Data Breach Exposes Personal Information: A data breach at Community Health Center has exposed personal information. Murphy Law Firm is investigating claims on behalf of all individuals whose information was exposed in the breach. Source: GlobeNewswire
5. D'Youville data breach in 2023 exposed sensitive patient and financial information: A data breach at D'Youville in 2023 exposed sensitive patient and financial information. The breach was revealed in a letter from Mullen Coughlin LLC, a law firm specializing in representing organizations impacted by data breaches. Source: Lowell Sun

Jailbreaking Generative AI - API Security

DeepSeek, a disruptive new AI model from China, has shaken the market, sparking both excitement and controversy. While it has gained attention for its

WallarmIvan Novikov

Top CVEs

1. CVE-2024-11741: Grafana, an open-source platform for monitoring, had a vulnerability in its Alerting VictorOps integration that could be exposed to users with Viewer permission. This issue has been fixed in versions 11.5.0, 11.4.1, 11.3.3, 11.2.6, 11.1.11, 11.0.11. Source: vulners.com
2. CVE-2025-23001: A Host Header Injection vulnerability was found in CTFd 3.7.5, due to the application failing to properly validate or sanitize the Host header. This could lead to phishing attacks, password resets, or cache poisoning. Source: vulners.com
3. CVE-2025-23215: PMD, a multilanguage static code analyzer, had a vulnerability where the passphrase for the PMD and PMD Designer release signing keys were included in a jar published to Maven Central. Although the private key itself is not known to have been compromised, it must be considered potentially compromised. Source: vulners.com
4. CVE-2025-22957: A SQL injection vulnerability exists in the front-end of the website in ZZCMS <= 2023, which can be exploited without any authentication. This could potentially allow attackers to gain unauthorized access to the database and extract sensitive data. Source: vulners.com
5. CVE-2024-57432: Macrozheng mall-tiny 1.0.1 suffers from Insecure Permissions. The application's JWT signing keys are hardcoded and do not change. User information is explicitly written into the JWT and used for subsequent privilege management, making it possible to forge the JWT of any user to achieve authentication. Source: vulners.com

API Security

1. Directorist: AI-Powered WordPress Business Directory Plugin Vulnerability (CVE-2024-12041): The Directorist plugin for WordPress, which provides AI-powered business directory and classified ads listings, has a vulnerability that exposes sensitive information. All versions up to and including 8.0.12 are affected, allowing unauthenticated attackers to extract data such as usernames, email addresses, and more via the /wp-json/directorist/v1/users/ endpoint. Source: vulners.com
2. EasyVirt DCScope & CO2Scope Incorrect Access Control (CVE-2024-53355): EasyVirt's DCScope (versions <=8.6.0) and CO2Scope (versions <=1.3.0) have an Incorrect Access Control vulnerability. This allows the API to be exploited to create, modify, or delete information about aliases and user groups. Source: vulners.com
3. Macrozheng Mall-Tiny Insecure Permissions (CVE-2024-57432): Macrozheng's mall-tiny 1.0.1 application suffers from Insecure Permissions. The application's JWT signing keys are hardcoded and do not change. User information is explicitly written into the JWT and used for subsequent privilege management, making it possible to forge the JWT of any user to achieve authentication. Source: vulners.com

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. We've covered a lot of ground, from the BeyondTrust Zero-Day breach to the massive insurance data leak, and the ongoing issues with PowerSchool's data breaches. It's clear that cybersecurity is a pressing issue that affects us all, from students to insurance customers to SaaS clients. Remember, knowledge is power. The more we understand about these breaches and how they occur, the better we can protect ourselves and our organizations.

So, don't keep this information to yourself. Share this newsletter with your friends, colleagues, and anyone else who might benefit from staying informed about the latest in cybersecurity news. Stay safe, stay informed, and keep an eye out for tomorrow's edition of Secret CISO.

Until then, remember: in the world of cybersecurity, the only constant is change.