Welcome to today's issue of Secret CISO, your daily dose of the most impactful cybersecurity news. Today, we're diving into a major data breach impacting millions of North Carolina families, with the state attorney general's office investigating a school software breach. In other news, concerns are rising over the potential for a massive data breach if personal financial information held by the U.S. Treasury falls into the wrong hands. We'll also look at how to check for social media data breaches and the importance of monitoring leak databases.

Meanwhile, the PowerSchool data breach continues to unfold, affecting thousands in Massachusetts and prompting an investigation by the North Carolina Attorney General. In legal news, Travelers' $6M data breach settlement has received final approval, while a data breach at the Business Registration Service has been addressed. In the world of research, we'll explore links between DeepSeek's chatbot and a Chinese telecom banned from doing business in the US, and delve into emerging topics in hardware security.

Finally, we'll round up the latest data breaches, including those at Albany Gastroenterology Consultants, Bankers Cooperative Group, and Grubhub. Stay tuned for all this and more in today's Secret CISO newsletter.

Data Breaches

1. Major Data Breach at PowerSchool: A significant data breach has impacted millions of North Carolina families, with the state attorney general's office currently investigating the incident. The breach has affected both social security numbers and medical records. Source: ABC11, NBC Boston, WBTV
2. DOGE Access to Sensitive Personal Information: Concerns have been raised over the potential for a significant data breach if the wrong person gains access to personal financial information held by the U.S. Treasury. Source: Morningstar, NY Attorney General
3. Albany Gastroenterology Consultants Data Breach: Albany Gastroenterology Consultants are under investigation following a data breach that has led to concerns over the security of sensitive personal information. Source: KXAN
4. Data Breach at Bankers Cooperative Group: Bankers Cooperative Group has reported a data breach impacting employees of 21 companies. The breach was reported to the U.S. Department of Health and Human Services in January 2025. Source: JDSupra
5. Grubhub Customer Data Exposed: A breach at Grubhub has exposed customer data, leading the company to strengthen credential security and rotate all relevant passwords. Source: ZDNET, The Register

Security Research

1. Google's slow Chrome Extension reforms anger developers: Security researcher Wladimir Palant has noted that some Chrome extensions are circumventing the ban on remote code execution. The MV3 update appears to not fully address this issue. Source: The Register
2. Hackers Exploiting SimpleHelp RMM Flaws for Persistent Access and Ransomware: Security researchers Ryan Slaney and Daniel Albrecht have identified vulnerabilities in SimpleHelp RMM, which are being exploited by hackers for persistent access and ransomware attacks. Source: The Hacker News
3. Researchers link DeepSeek's chatbot to Chinese telecom banned from doing business in US: Security researchers have linked DeepSeek's chatbot to a Chinese state-owned telecommunications company that is barred from operating in the United States. Source: The Washington Times
4. Emerging Topics in Hardware Security: Dr. Zain Ul Abideen from Carnegie Mellon University presented on emerging topics in hardware security, including innovations in chiplet security, obfuscation, security primitives, and post-quantum cryptography. Source: UMassD
5. Is DOGE a cybersecurity threat?: A security expert has highlighted the dangers of violating protocols and regulations that protect government computer systems, using DOGE as an example. Source: The Conversation

Top CVEs

1. CVE-2024-37358: Apache James is susceptible to a denial of service attack through the misuse of IMAP literals from both authenticated and unauthenticated users. This could lead to unbounded memory allocation and lengthy computations. Versions 3.7.6 and 3.8.2 restrict such misuse of IMAP. Source: CVE-2024-37358
2. CVE-2025-22866: A small number of bits of secret scalars are leaked on the ppc64le architecture due to the use of a variable time instruction in the assembly implementation of an internal function. However, this leakage is not believed to be sufficient to allow recovery of the private key when P-256 is used in any well-known method. Source: CVE-2025-22866
3. CVE-2025-24786: WhoDB, an open-source database management tool, has no path traversal prevention in place, allowing an unauthenticated attacker to open any Sqlite3 database present on the host machine. This issue has been addressed in version 0.45.0. Source: CVE-2025-24786
4. CVE-2025-21253: A spoofing vulnerability has been identified in Microsoft Edge for IOS and Android. Specific details about the vulnerability are not provided. Source: CVE-2025-21253
5. CVE-2023-5878: Honeywell OneWireless Wireless Device Manager contains a command injection vulnerability. An authenticated attacker could potentially exploit the firmware update process to inject commands. Honeywell recommends updating to the most recent version. Source: CVE-2023-5878

API Security

1. Nextend Social Login Pro Plugin Authentication Bypass: The Nextend Social Login Pro plugin for WordPress, versions up to 3.1.16, is vulnerable to authentication bypass due to insufficient verification during the Apple OAuth authenticate request. This allows unauthenticated attackers to log in as any existing user on the site. Source: CVE-2025-1061
2. Mindskip xzs-mysql 学之思开源考试系统 3.9.0 Cross Site Scripting: A problematic vulnerability has been found in Mindskip xzs-mysql 学之思开源考试系统 3.9.0. The file /api/admin/question/edit of the component Exam Edit Handler is affected, leading to cross site scripting. The exploit has been disclosed to the public. Source: CVE-2025-1082
3. GoldPanKit eva-server v4.1.0 Path Parameter Vulnerability: A vulnerability has been identified in GoldPanKit eva-server v4.1.0. It affects the path parameter of the /api/resource/local/download endpoint, where manipulation of this parameter can lead to arbitrary file download. Source: CVE-2024-54909
4. WhoDB Path Traversal Opening Sqlite3 Database: WhoDB has a path traversal vulnerability that allows an unauthenticated attacker to open any Sqlite3 database present on the host machine that the application is running on. Source: GHSA-9R4C-JWX3-3J76
5. 2N OS Device API Token Disclosure: Using API in the 2N OS device, an authorized user can enable logging, which discloses valid authentication tokens in system logs. Source: CVE-2024-13416

Sponsored by Wallarm API Security Solution

Final Words

And that's it for today's edition of Secret CISO. We hope you found this information valuable. Remember, staying informed is the first step in ensuring your organization's security. Don't forget to share this newsletter with your colleagues and friends to help them stay secure too. In the world of cybersecurity, knowledge is power. But remember, it's not just about knowing what's happening, it's about understanding how it impacts you and what you can do about it. So, keep reading, keep learning, and keep fighting the good fight against cyber threats.

Stay safe and see you tomorrow for more updates from the world of cybersecurity.

P.S. If you have any feedback or topics you'd like us to cover, feel free to let us know. We're here to provide you with valuable and relevant content.