Good morning, Secret CISO readers! Today's newsletter is packed with the latest cybersecurity news and insights.

We start with a shocking revelation from a security researcher who discovered that Google could potentially leak the email addresses of YouTube channels. This is a significant concern as it exposes users to potential phishing attacks and other cyber threats. In other news, hackers have been exploiting flaws in Cisco devices to breach global telecom firms, ISPs, and universities, leading to data theft and persistent access. This highlights the importance of regularly updating and patching your devices to protect against such vulnerabilities.

We also delve into the importance of cultivating a security-conscious culture within organizations. It's not enough to simply provide awareness training; employees need to understand the consequences of security violations and take cyber risks seriously. On a brighter note, if you were impacted by the Green Valley Pecan Company data breach, you may qualify for up to $4400 in compensation. For our Mac users, beware! AI-powered malware threats are on the rise. We provide some tips on how to reduce the risk of security breaches, such as not reusing passwords.

Lastly, we discuss the importance of updating your iPhones to avoid a security breach. Apple users are being advised to ensure all their devices are fully updated to prevent others from bypassing their security. Stay tuned for more updates and remember, stay safe out there!

Data Breaches

1. Hackers exploit Cisco devices to breach telecom networks: Global telecom firms, ISPs, and universities have been breached by Salt Typhoon exploiting flaws in Cisco devices, leading to data theft and persistent access. Source: iZOOlogic
2. $4400 Compensation for Green Valley Data Breach Victims: Victims of the Green Valley Pecan Company data breach may be eligible for up to $4400 in compensation. Source: idolgu.in
3. Update your iPhones to avoid a security breach: Apple users are being urged to update all their devices due to a security breach that could allow unauthorized access. Source: KX News
4. Massive Data Breach Exposes Americans' Financial Details: A breach reported by the Office of the Maine Attorney General exposed sensitive data such as names, birthdays, Social Security numbers, card numbers, and PINs. Source: Benzinga
5. Newly launched DOGE website hacked: Hackers infiltrated the newly launched DOGE website within days, potentially leaking classified information and mocking its security flaws. Source: Economic Times

Security Research

1. ACS Password Leaks Are A Security Issue On IBM i: Security researcher Varga-Perke discovered a vulnerability in System i Navigator, first documented by security company Tenable. This flaw exposes ACS passwords, posing a significant security risk. Source: IT Jungle
2. Brewing Food Security: Transforming Food Waste Into Sustainable Nutrition: A team of researchers led by Ovissipour is using fermentation science to transform food waste into sustainable nutrition, offering a novel approach to food security. Source: Where The Food Comes From
3. Online investment research: Data from millions of Zacks users leaked: Zacks, an online investment research platform, suffered a security incident where attackers gained access to customer data. The leaked data package contained information from 12 million users. Source: Heise
4. Modern vehicles vulnerable to cyber attacks, warn experts: Cybersecurity researcher Muneeb Amin Bhat warns that hackers are exploiting vulnerabilities in keyless entry systems, making modern vehicles susceptible to cyber attacks. Source: Greater Kashmir
5. The real reason behind the DeepSeek hype, according to AI experts: Security researchers have highlighted potential risks associated with the DeepSeek app, prompting US lawmakers to call for its ban on government devices. Source: Egypt Independent

Top CVEs

1. CVE-2025-1337: Eastnets PaymentSafe 2.5.26.0 has a vulnerability that allows for cross-site scripting due to an unknown part of the component BIC Search being affected. The attack can be initiated remotely. The vendor has not responded to this disclosure. Source: CVE-2025-1337
2. CVE-2025-22680: NotFound Ad Inserter Pro has a vulnerability that allows for Reflected XSS. The issue affects Ad Inserter Pro versions from n/a through. Source: CVE-2025-22680
3. CVE-2025-1354: Asus RT-N12E 2.0.0.19 has a vulnerability that allows for cross-site scripting due to an unknown function of the file sysinfo.asp being affected. The attack can be launched remotely. The vendor has not responded to this disclosure. Source: CVE-2025-1354
4. CVE-2025-26779: Fahad Mahmood Keep Backup Daily has a vulnerability that allows for Path Traversal. The issue affects Keep Backup Daily versions from n/a through. Source: CVE-2025-26779
5. CVE-2025-26765: enituretechnology Distance Based Shipping Calculator has a vulnerability that allows for Exploiting Incorrectly Configured Access Control Security Levels. The issue affects Distance Based Shipping Calculator versions from n/a through. Source: CVE-2025-26765

API Security

1. Zabbix Privilege Escalation - RCE (CVE-2024-42327): A critical vulnerability has been discovered in Zabbix server versions prior to 6.0.32rc1, 6.4.17rc1, 7.0.1rc1. This flaw allows a non-admin user with API access to exploit an SQLi in the CUser class in the addRelatedObjects function, leading to a potential reverse shell on the Zabbix server. Immediate patching is recommended. Source: vulners.com

Sponsored by Wallarm API Security Solution

Final Words

That's a wrap for today's edition of Secret CISO. We've covered a lot of ground, from the exploitation of YouTube IDs to find Gmail details, to the rise of AI-powered malware threats for Mac users. We've also discussed the importance of cultivating a culture of cyber risk awareness in organizations and the potential compensation for victims of the Green Valley data breach.

Remember, in the world of cybersecurity, knowledge is power. So, don't keep this valuable information to yourself. Share this newsletter with your friends and colleagues to help them stay informed and protected.

Stay safe, stay informed, and see you in the next edition of Secret CISO.