Welcome to today's issue of Secret CISO, where we delve into the latest cybersecurity news and updates. Today, we're focusing on a series of data breaches that have impacted organizations across the globe.

Firstly, Chinese search giant Baidu has denied allegations of a data breach after a top executive's teenage daughter posted personal information online. Meanwhile, the Pennsylvania State Education Association has reported a data breach impacting over 500,000 people. Investigations are underway to determine the extent of the breach and the potential harm to affected individuals.

In other news, law firm Lowey Dannenberg is investigating potential claims regarding a data breach at a California-based company. The breach could have exposed sensitive customer information, including social security numbers and banking details. On a similar note, a health firm has been accused of hitting a data breach reporting site with a bogus takedown demand in an attempt to vanish reporting on its own data breach. This raises serious questions about the transparency and accountability of organizations in the face of cybersecurity incidents. In the world of academia, a data breach at the Pennsylvania State Education Association has affected over 517,000 individuals. The breach was announced after the association filed a notice with the Attorney General of Maine.

Lastly, a data breach at stalkerware SpyX has affected close to 2 million users, including thousands of Apple users. The breach reveals the inherent risks associated with consumer-grade spyware operations. Stay tuned for more updates and remember, in the world of cybersecurity, staying informed is your first line of defense.

Data Breaches

1. Baidu Data Breach: Chinese search giant Baidu denied allegations of an internal data breach after a top executive's teenage daughter posted sensitive information online. The extent of the breach and the number of affected individuals are yet to be determined. Source: Yahoo Finance
2. Pennsylvania State Education Association Data Breach: Over 500,000 people were impacted by a data breach at the Pennsylvania State Education Association. The breach exposed sensitive personal and financial information of the members. Source: NBC10 Philadelphia
3. Erickson Companies Data Breach: Erickson Companies detected unusual activity on its internal network and is currently investigating a potential data breach. The extent of the breach and the number of affected individuals are yet to be determined. Source: GlobeNewswire
4. SpyX Data Breach: A consumer-grade spyware operation called SpyX was hit by a data breach last year, affecting close to 2 million users, including thousands of Apple users. The breach exposed sensitive personal and financial information of the users. Source: TechCrunch
5. Hand & Plastic Surgery Centre Data Breach: Hand & Plastic Surgery Centre suffered a data breach, exposing sensitive personal and health information of its patients. The extent of the breach and the number of affected individuals are yet to be determined. Source: ClassAction.org

Security Research

1. Stalkerware Apps Security Risks: Security researchers have discovered a bug in stalkerware apps that allowed unauthorized access to user data. The bug has led to several significant stalkerware hacks, emphasizing the need for users to avoid such apps. Source: TechCrunch
2. ChatGPT Security Concerns: Security researcher Botacin has raised concerns about the potential misuse of LLMs' capabilities by attackers to write massive amounts of malware. This highlights the need for robust security measures in AI and machine learning technologies. Source: EurekAlert!
3. DollyWay Malware Campaign: GoDaddy researcher Denis Sinegubko has reported that the DollyWay malware campaign has breached over 20,000 WordPress sites. This underscores the importance of maintaining up-to-date security measures on all websites. Source: Bleeping Computer
4. GitHub Massive Attack: A massive attack on GitHub has affected over 23,000 repositories, according to Alex Ilgayev, Head of Security Research at Cycode. This incident highlights the need for robust security measures in code repositories. Source: SecurityBrief Australia
5. Apple's Passwords App Security Flaw: Security researchers at Mysk have discovered a bug in Apple's Passwords app that remained unfixed for several months. This incident underscores the need for timely response to identified security flaws. Source: CNET

Top CVEs

1. CVE-2025-29783 - vLLM Remote Code Execution: vLLM, a high-throughput and memory-efficient inference and serving engine for LLMs, has a remote code execution vulnerability when configured to use Mooncake. Attackers can execute remote code on distributed hosts via unsafe deserialization exposed over ZMQ/TCP on all network interfaces. The vulnerability is fixed in the latest version. Source: CVE-2025-29783
2. CVE-2025-27787 - Applio Denial of Service: Applio, a voice conversion tool, is vulnerable to denial of service (DoS) in versions 3.2.8-bugfix and prior. Attackers can kill important processes leading to DoS. The vulnerability also enables path traversal. No known patches are available at the time of publication. Source: CVE-2025-27787
3. CVE-2025-2512 - File Away Plugin for WordPress: The File Away plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check and missing file type validation in the upload() function in all versions up to, and including, 3.9.9.0.1. This allows unauthenticated attackers to upload arbitrary files which may lead to remote code execution. Source: CVE-2025-2512
4. CVE-2025-27784 - Applio Arbitrary File Read: Applio, a voice conversion tool, is vulnerable to arbitrary file read in versions 3.2.8-bugfix and prior. This issue may lead to reading arbitrary files on the Applio server. It can also be used in conjunction with blind server-side request forgery to read files from servers on the internal network that the Applio server has access to. No known patches are available at the time of publication. Source: CVE-2025-27784
5. CVE-2025-27786 - Applio Arbitrary File Removal: Applio, a voice conversion tool, is vulnerable to arbitrary file removal in versions 3.2.8-bugfix and prior. This leads to arbitrary file removal. No known patches are available at the time of publication. Source: CVE-2025-27786

API Security

1. XWiki Platform REST API Vulnerability: XWiki Platform, a generic wiki platform, had a vulnerability in its REST API that allowed users to access private information. This was possible when a subwiki used the "Prevent unregistered users to view pages" feature. The vulnerability only affected subwikis and specific right options. The issue has been patched in XWiki 15.10.14, 16.4.6, and 16.10.0-rc-1. Source: CVE-2025-29924
2. XWiki Platform WikiManager REST API Exploit: Another vulnerability in XWiki Platform allowed any user to exploit the WikiManager REST API to create a new wiki, where they could become an administrator and perform other attacks on the farm. This REST API is not bundled in XWiki Standard by default and needs to be installed manually. The issue has been patched in versions 15.10.15, 16.4.6, and 16.10.0. Source: CVE-2025-29926
3. Sylius PayPal Plugin Order Manipulation Vulnerability: A vulnerability in the Sylius PayPal Plugin allowed users to modify their shopping cart after completing the PayPal Checkout process and payment authorization. This could lead to merchants delivering products or services without full payment. The issue has been fixed in versions 1.6.2, 1.7.2, 2.0.2, and above. Source: GHSA-HXG4-65P5-9W37
4. Jenkins Zoho QEngine Plugin API Key Exposure: Jenkins Zoho QEngine Plugin 1.0.29.vfa_cc23396502 and earlier did not mask the QEngine API Key form field, increasing the potential for attackers to observe and capture the key. Source: CVE-2025-30197
5. Fast-JWT iss Claim Validation Vulnerability: The fast-jwt library did not properly validate the iss (issuer) claim based on RFC 7519. This design flaw enabled a potential attack where a malicious actor could craft a JWT with an iss claim structured as ['https://attacker-domain/', 'https://valid-iss']. The JWT would be deemed valid due to the permissive validation. Source: GHSA-GM45-Q3V2-6CF8

Sponsored by Wallarm API Security Solution

Final Words

That's it for today's edition of the Secret CISO newsletter. As always, we've covered a lot of ground, from Baidu's denial of a data breach to the investigation into potential claims regarding a data breach at California Cryobank.

Remember, staying informed is the first step in protecting your systems and data. Share this newsletter with your colleagues and friends to help them stay in the loop too.

Stay safe, stay secure, and see you next time!