Welcome to today's issue of Secret CISO, where we bring you the latest news on data breaches and security vulnerabilities. Today, we're looking at a series of data breaches impacting PowerSchool, DOGE, Mercer University, and more. Attorney General Jeff Jackson is investigating a recent data breach at PowerSchool that affected numerous users. Meanwhile, DOGE and the Treasury are accused of the 'largest' US data breach, with non-government employees allegedly accessing information without proper security clearances.

In legal news, Mercer University has agreed to a class action lawsuit settlement over a 2023 data breach, and federal workers have launched a new lawsuit to fight DOGE's data access. On the corporate front, Duane Morris LLP has published its Data Breach Class Action Review for 2025, highlighting the increasing prevalence and impact of data breaches on companies. In healthcare, Accendo Insurance Company and VectraRx Mail Pharmacy Services LLC are under investigation for data breaches that exposed personal information. In the world of tech, Apple has warned iPhone users to update their devices amid a security breach, and Microsoft is offering increased rewards for finding security bugs in Copilot.

Finally, in research news, a new study highlights consumers' false sense of security with online scams, and a security researcher has detailed vulnerabilities in Fortinet FortiOS that could allow DoS & RCE attacks. Stay tuned for more updates and remember, knowledge is the first line of defense.

Data Breaches

1. Attorney General Investigates PowerSchool Data Breach: Attorney General Jeff Jackson is investigating a data breach at PowerSchool that impacted numerous individuals. The breach underscores the need for robust data protection measures in educational institutions. Source: Avery Journal
2. DOGE Accused of 'Largest' US Data Breach: DOGE is facing accusations of the 'largest' data breach in US history. The breach has raised concerns about the security of sensitive personal information and the lack of proper security clearances. Source: Law360
3. Mercer University Data Breach Class Action Settlement: Mercer University has agreed to a class action lawsuit settlement following a 2023 data breach that compromised sensitive information. The settlement highlights the legal consequences of data breaches. Source: Top Class Actions
4. Accendo Insurance Company Data Breach: A data breach at Accendo Insurance Company has exposed personal information. Murphy Law Firm is investigating legal claims on behalf of all individuals whose information was exposed in the breach. Source: GlobeNewswire
5. VectraRx Mail Pharmacy Services LLC Data Breach: VectraRx Mail Pharmacy Services LLC suffered a data breach that exposed personal information. Murphy Law Firm is investigating legal claims on behalf of all individuals affected by the breach. Source: GlobeNewswire

Security Research

1. Tech Titans Names Qorvo Exec as Board Chair, Announces New Board Members: Tech Titans, a leading technology trade association in Texas, has appointed a new board chair and announced new board members, including a security expert. The move is expected to strengthen the association's focus on technology and security. Source: Dallas Innovates
2. U.S. adversaries increasingly turning to cybercriminals and their malware for help: Security researchers have noted a growing trend of U.S. adversaries leveraging cybercriminals and their malware to pose threats to national security. This highlights the need for robust cybersecurity measures. Source: CyberScoop
3. The Alarming Backdoor Hiding in 2 Chinese Patient Monitors: Security researcher Jason Sinchak has discovered a concerning backdoor in two Chinese patient monitors. This discovery raises questions about the security of medical devices and the potential for cyber threats in healthcare. Source: GovInfoSecurity
4. Microsoft will now pay you even more to find security bugs in Copilot: Microsoft has increased its bug bounty reward for finding moderate flaws in its Copilot software. This move encourages researchers to help create a safer digital environment. Source: TechRadar
5. Researcher Details Fortinet FortiOS Vulnerabilities Allowing DoS & RCE Attacks: A security audit of Fortinet's FortiOS VPN conducted by Akamai researcher Ben Barnea has uncovered multiple vulnerabilities that could enable DoS and RCE attacks. This highlights the importance of regular security audits in identifying potential threats. Source: CyberSecurityNews

Top CVEs

1. CVE-2022-3180: The WPGateway Plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.5. This allows unauthenticated attackers to create arbitrary malicious administrator. Source: CVE-2022-3180
2. CVE-2020-3432: A vulnerability in the uninstaller component of Cisco AnyConnect Secure Mobility Client for Mac OS could allow an authenticated, local attacker to corrupt the content of any file in the filesystem. The vulnerability is due to the incorrect handling of directory paths. Source: CVE-2020-3432
3. CVE-2025-23359: NVIDIA Container Toolkit for Linux contains a Time-of-Check Time-of-Use (TOCTOU) vulnerability when used with default configuration, where a crafted container image could gain access to the host file system. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data. Source: CVE-2025-23359
4. CVE-2025-24434: Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Authorization vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Source: CVE-2025-24434
5. CVE-2025-25202: Ash Authentication is an authentication framework for Elixir applications. Applications which have been bootstrapped by the igniter installer present since AshAuthentication v4.1.0 and who have used the magic link strategy or are manually revoking tokens are affected by revoked tokens being allowed to verify as valid. Source: CVE-2025-25202

API Security

1. Temporal api-go library vulnerability (CVE-2025-1243): The Temporal api-go library prior to version 1.44.1 did not send update response information to Data Converter when the proxy package within the api-go module was used in a gRPC proxy prior to transmission. This resulted in information contained within the update response field not having Data Converter transformations (e.g. encryption) applied. This issue does not impact the Data Converter server. Data was encrypted in transit. Temporal Cloud services are not affected. Source: CVE-2025-1243
2. NVIDIA Triton Inference Server vulnerability (CVE-2024-53880): NVIDIA Triton Inference Server contains a vulnerability in the model loading API, where a user could cause an integer overflow or wraparound error by loading a model with an extra-large file size that overflows an internal variable. A successful exploit of this vulnerability might lead to denial of service. Source: CVE-2024-53880
3. GeoNetwork search end-point information disclosure (CVE-2024-32037): GeoNetwork is a catalog application to manage spatially referenced resources. In versions prior to 4.2.10 and 4.4.5, the search end-point response headers contain information about Elasticsearch software in use. This information is valuable from a security point of view because it allows software used by the server to be easily identified. GeoNetwork 4.4.5 and 4.2.10 fix this issue. No known workarounds are available. Source: CVE-2024-32037
4. Windows Active Directory Domain Services API Denial of Service (CVE-2025-21351): Windows Active Directory Domain Services API is vulnerable to Denial of Service attacks. Further details are not provided. Source: CVE-2025-21351
5. Distribution's token authentication vulnerability (CVE-2025-24976): Systems running registry versions 3.0.0-beta.1 through 3.0.0-rc.2 with token authentication enabled may be vulnerable to an issue in which token authentication allows an attacker to inject an untrusted signing key in a JSON web token (JWT). A fix for the issue is available at commit 5ea9aa028db65ca5665f6af2c20ecf9dc34e5fcd and expected to be a part of version 3.0.0-rc.3. There is no way to work around this issue without patching if the system requires token authentication. Source: CVE-2025-24976

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. As we've seen, data breaches and security threats are an ever-present reality in our digital world. It's crucial to stay informed and vigilant, and we hope our newsletter helps you do just that. Remember, security is everyone's responsibility. If you found today's content valuable, please share it with your friends and colleagues.

Let's work together to create a safer digital environment for all. Stay safe and secure until our next update.