Welcome to today's issue of Secret CISO, where we bring you the latest news and insights from the world of cybersecurity. Today, we're focusing on a series of data breaches that have impacted various sectors, from healthcare to food delivery, and even education. In Jamaica, the Caledonia Medical Laboratory has strengthened its cybersecurity measures following a data breach. Meanwhile, a court in British Columbia has allowed parallel class actions in a data breach case involving fund manager Mackenzie Financial Corp. and InvestorCOM Inc.

In Connecticut, over a million people have been affected by a healthcare data breach at Community Health Center. The attorney general and a law firm are currently investigating the incident. In North Carolina, the New Hanover County School System has asked the attorney general to investigate a data breach involving PowerSchool, a student and staff information system used by many school districts. Food delivery service Grubhub has reported a data breach through a third-party contractor, exposing user contact information.

In a similar vein, San Francisco-Marin Food Bank has also reported a data breach, though details are still scarce. In the world of cybersecurity research, links have been found between DeepSeek's chatbot and a Chinese telecom company banned from operating in the U.S. This raises serious data privacy concerns.

Finally, we delve into the world of vulnerabilities with a series of CVEs that have been identified in various systems. These vulnerabilities range from data breaches to security incidents and could potentially cause long-term damage. Stay tuned for more updates and remember, knowledge is the first line of defense. Stay safe out there!

Data Breaches

1. Biomedical Caledonia Medical Laboratory Data Breach: Biomedical Caledonia Medical Laboratory Limited has suffered a data breach, leading to the strengthening of its cybersecurity and IT infrastructure. The details of the breach and the number of affected individuals are not specified. Source: Jamaica Gleaner
2. Data Breach at Mackenzie Financial Corp. and InvestorCOM Inc.: A proposed class action has been filed in British Columbia against fund manager, Mackenzie Financial Corp., and InvestorCOM Inc., in connection with a data breach. The details of the breach and the number of affected individuals are not specified. Source: Investment Executive
3. Community Health Center Data Breach: A data breach at Community Health Center in Connecticut has affected over a million individuals. The Connecticut attorney general and a law firm are investigating the breach. Source: Middletown, CT Patch
4. Data Breach at PowerSchool: A data breach involving PowerSchool, a student and staff information system used by many school districts across North Carolina, has led to the exposure of sensitive data. The New Hanover County School System has asked the attorney general to investigate the breach. Source: WWAYTV3
5. Grubhub Data Breach: Grubhub has reported a data breach through a third-party contractor, exposing user contact information including names, email addresses, phone numbers, and partial payment details. Source: Mobile ID World

Security Research

1. Researchers link DeepSeek's blockbuster chatbot to Chinese telecom banned from doing business in the U.S.: Security researchers have discovered a connection between DeepSeek's chatbot and a Chinese telecom company that has been banned from operating in the U.S. due to national security concerns. The code linking the two was first found by Feroot Security, a Canadian cybersecurity firm. Source: PBS
2. LevelBlue research highlights surge in phishing-as-a-service kits: LevelBlue's recent research has highlighted a significant increase in the use of phishing-as-a-service kits. The research also notes that ransomware groups continue to exploit weaknesses in organizations' security configurations, with familiar malware campaigns still causing significant damage. Source: Security Info Watch
3. Zyxel won't patch end-of-life routers against zero-day attacks: Zyxel has announced that it will not be patching its end-of-life routers against zero-day attacks, despite the potential security risks. The decision has been met with criticism from the cybersecurity community. Source: TechTarget
4. Ex-HIPAA Officer: State Illegally Shared PHI for Research: A former HIPAA officer has claimed that a U.S. state illegally shared protected health information (PHI) for research purposes. The officer alleges that the state did not have the necessary data security safeguards and compliance measures in place to ensure the appropriate and confidential use of the data. Source: BankInfoSecurity
5. Fake VS Code extension on npm uses altered ScreenConnect utility as spyware: A fake Visual Studio Code extension on npm has been found to use an altered version of the ScreenConnect utility as spyware. The discovery was made by a security researcher at Sonatype, a software supply chain automation company. Source: Sonatype

Top CVEs

1. CVE-2024-2878: GitLab CE/EE versions starting from 15.7 prior to 16.9.7, 16.10 prior to 16.10.5, and 16.11 prior to 16.11.2 are vulnerable to a denial of service attack. Attackers can craft unusual search terms for branch causing disruption in service. Source: CVE-2024-2878
2. CVE-2025-23419: Multiple server blocks sharing the same IP address and port can be exploited by an attacker to bypass client certificate authentication requirements. This vulnerability arises when TLS Session Tickets or the SSL session cache are used in the default server performing client certificate authentication. Source: CVE-2025-23419
3. CVE-2025-20124: A vulnerability in an API of Cisco ISE could allow an authenticated, remote attacker to execute arbitrary commands as the root user on an affected device. This vulnerability is due to insecure deserialization of user-supplied Java byte streams by the affected software. Source: CVE-2025-20124
4. CVE-2024-3976: GitLab CE/EE versions starting from 14.0 prior to 16.9.7, 16.10 prior to 16.10.5, and 16.11 prior to 16.11.2 have a vulnerability that allows unauthorized instance to disclose confidential issues title and description from a public project. Source: CVE-2024-3976
5. CVE-2024-1539: GitLab EE versions starting from 15.2 prior to 16.9.7, 16.10 prior to 16.10.5, and 16.11 prior to 16.11.2 have a vulnerability that allows disclosure of updates to issues to a banned group member. Source: CVE-2024-1539

API Security

1. Better Auth URL parameter HTML Injection: The better-auth /api/auth/error page was found to be vulnerable to HTML injection, leading to a reflected cross-site scripting (XSS) vulnerability. An attacker could exploit this vulnerability by coercing a user to visit a specially-crafted URL, potentially executing arbitrary JavaScript in the user's browser. Source: Vulners
2. MobSF Local Privilege Escalation: A zero-day vulnerability was discovered in Mobile Security Framework (MobSF) where any registered user can get an API Token with all privileges, leading to potential information disclosure. The vulnerability lies in the code output component and can be exploited by an authorized user. Source: Vulners
3. Cisco ISE API Vulnerabilities: Two vulnerabilities were discovered in an API of Cisco ISE. The first allows an authenticated, remote attacker with valid read-only credentials to obtain sensitive information, change node configurations, and restart the node due to a lack of authorization in a specific API and improper validation of user-supplied data. The second vulnerability allows an authenticated, remote attacker to execute arbitrary commands as the root user on an affected device due to insecure deserialization of user-supplied Java byte streams. Source: Vulners and Vulners
4. Really Simple Security Plugin Authentication Bypass: A critical authentication bypass vulnerability was discovered in the Really Simple Security plugin for WordPress. This vulnerability allows unauthenticated attackers to log in as any user by exploiting a flaw in the Two-Factor Authentication (2FA) API. Source: Vulners
5. GitLab EE Issue Disclosure: An issue was discovered in GitLab EE affecting all versions starting from 15.2. It was possible to disclose updates to issues to a banned group member using the API. Source: Vulners

Sponsored by Wallarm API Security Solution

Final Words

As we wrap up today's edition of Secret CISO, we're reminded of the importance of robust cybersecurity measures in every sector. From biomedical labs to financial corporations, educational institutions, and food delivery services, no entity is immune to data breaches. The stories we shared today serve as a stark reminder that cybersecurity is not a one-time effort but a continuous process of vigilance, adaptation, and improvement.

We hope these insights help you in strengthening your organization's cybersecurity posture.

Remember, cybersecurity is a shared responsibility. If you found today's newsletter informative, we encourage you to share it with your friends, colleagues, and professional network. Let's work together to create a safer digital world. Stay safe and secure until our next edition of Secret CISO.