Welcome to today's issue of the Secret CISO newsletter, where we bring you the latest in cybersecurity news. Today, we're focusing on a series of data breaches and security vulnerabilities that have been making headlines. First up, the Philadelphia Inquirer has received approval for a data breach class deal, marking a significant development in data breach litigation. Meanwhile, personal information and social security numbers of over 400 former congressional staffers have been exposed in the JFK files, highlighting the need for robust data protection measures.

In other news, Watsonville hospital workers have reported identity theft linked to a data breach, and Avast has settled a data privacy case with the FTC for $16.5M. A federal judge has also blocked Elon Musk's team from accessing millions of Americans' data, citing privacy breach concerns. In the world of investigations, Federman & Sherwood are looking into data breaches at Ray Catena Motor Car Corp., Heart to Heart Hospice Holdings, and Dove Healthcare. Globe Life is also facing a class action lawsuit over a 2024 data breach. In the realm of research, a significant data breach at spyware firm SpyX has reportedly affected nearly two million individuals, including thousands of Apple users. And in the world of academia, a Georgetown University researcher has been detained by ICE, raising concerns about the security of academic research.

Finally, we'll be looking at some recent vulnerabilities, including a WhatsApp flaw that ushered in spyware and a flaw in the iOS 18.2 Passwords app that left users vulnerable to phishing attacks. We'll also be discussing the rising threat of ClickFix attacks and the challenges they pose to enterprise security. Stay tuned for more updates and insights in the world of cybersecurity. Stay safe and secure!

Data Breaches

1. Philadelphia Inquirer Data Breach Class Deal: A Pennsylvania federal judge has approved a class action settlement related to a data breach at the Philadelphia Inquirer. The details of the settlement and the number of affected individuals have not been disclosed. Source: Law360
2. Personal Information Exposed in JFK Files: More than 400 former congressional staffers and others connected to decades-old investigations had their personal and Social Security numbers exposed in the JFK files. The extent of the breach and the potential impact are still under investigation. Source: The Washington Post
3. Watsonville Hospital Workers Report Identity Theft Linked to Data Breach: Workers at Watsonville hospital have reported instances of identity theft, which they believe are linked to a data breach. The extent of the breach and the number of affected individuals are yet to be determined. Source: YouTube
4. $16.5M Avast Data Privacy FTC Settlement: Avast has settled a data privacy lawsuit with the FTC for $16.5 million. The details of the settlement and the number of affected individuals have not been disclosed. Source: Class Action Lawsuits
5. Judge Stops Musk's Team from Accessing Millions of Americans' Data: A federal judge has blocked tech billionaire Elon Musk's aides from accessing Social Security Administration data, citing privacy breach concerns. The extent of the potential breach and the number of affected individuals are yet to be determined. Source: Reuters

Security Research

1. VSCode Extensions Downloading Early-Stage Ransomware: Security researchers have discovered Visual Studio Code extensions that were found to be downloading early-stage ransomware. The malicious extensions were caught by automated scanners before they could cause significant harm. Source: Bleeping Computer
2. ClickFix Attacks Outpacing Enterprise Security: Security researcher Dakshitaa Babu from SquareX has highlighted the growing threat of ClickFix attacks, which are currently outpacing enterprise security measures. The research emphasizes the need for more robust security solutions to counter such threats. Source: IT Brief New Zealand
3. Security Researcher Comments on HIPAA Security Rule: A security researcher has commented on the need for good faith security researchers to be protected and for entities to improve their cybersecurity hygiene. The comments were made in the context of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Source: DataBreaches.Net
4. Arctic Security Researcher Strives for Real-World Relevance: Dr. Troy Bouffard, an Arctic Security Researcher at the University of Alaska, is striving to make his work more relevant to real-world scenarios. His research focuses on the security implications of Arctic geopolitics. Source: High North News
5. Rising Malicious TDS Traffic: Cybercriminals are increasingly using filtering capabilities to detect antimalware software and sandboxes to evade security researchers. The rise in malicious Traffic Distribution System (TDS) traffic is becoming a significant concern for cybersecurity professionals. Source: Dark Reading

Top CVEs

1. CVE-2024-4990 - Yii2 Component Class Vulnerability: Yii2 version 2.0.48 has a vulnerability where the __set() magic method does not validate the value passed as a valid Behavior class name or configuration. This allows an attacker to instantiate arbitrary classes, potentially leading to execution of arbitrary code or retrieval of sensitive information. Source: CVE-2024-4990
2. CVE-2025-23120 - Remote Code Execution Vulnerability: A vulnerability allowing remote code execution (RCE) for domain has been identified. The details of the vulnerability are not specified in the source. Source: CVE-2025-23120
3. CVE-2025-2505 - Age Gate Plugin for WordPress Vulnerability: The Age Gate plugin for WordPress is vulnerable to Local PHP File Inclusion in all versions up to, and including, 3.5.3 via the 'lang' parameter. This allows unauthenticated attackers to include and execute arbitrary PHP files on the server, potentially leading to unauthorized access or data breach. Source: CVE-2025-2505
4. CVE-2024-11044 - Open Redirect Vulnerability in Stable-Diffusion-WebUI: Stable-Diffusion-WebUI version 1.10.0 has an open redirect vulnerability that allows a remote unauthenticated attacker to redirect users to arbitrary websites via a specially crafted URL. This can be exploited for phishing attacks, malware distribution, and credential theft. Source: CVE-2024-11044
5. CVE-2024-6842 - Unauthorized Access in Mintplex-Labs/Anything-LLM: In version 1.5.5 of mintplex-labs/anything-llm, the /setup-complete API endpoint allows unauthorized users to access sensitive system settings. This can be exploited by attackers to steal API keys and cause loss of user data. Source: CVE-2024-6842

API Security

1. Audi UTR Dashcam 2.0 API Security Vulnerability: A critical vulnerability was found in Audi UTR Dashcam 2.0, affecting an unknown functionality of the Command API. This issue leads to improper access controls and can be exploited within the local network. Upgrading to version 2.89 and 2.90 can address this issue. Source: CVE-2025-2557
2. kcp APIExport Virtual Workspace Security Issue: The APIExport Virtual Workspace in kcp can be used to manage objects in workspaces, leading to unauthorized creation or deletion of an object. This vulnerability can be exploited even if there is no APIBinding in that workspace. The issue has been fixed in kcp 0.26.3 and 0.27.0. Source: GHSA-W2RR-38WV-8RRP
3. HCL Digital Experience API Security Vulnerability: HCL Digital Experience components Ring API and dxclient may be vulnerable to man-in-the-middle (MitM) attacks prior to 9.5 CF226. This vulnerability allows an attacker to intercept and potentially alter communication between two parties. Source: CVE-2025-0254
4. LiteLLM Langfuse API Keys Leakage: In berriai/litellm version v1.52.1, an issue in proxy_server.py causes the leakage of Langfuse API keys when an error occurs while parsing team settings. This vulnerability exposes sensitive information, including langfuse_secret and langfuse_public_key, which can provide full access to the Langfuse project. Source: GHSA-879V-FGGM-VXW2
5. AgentScope CORS Vulnerability: A Cross-Origin Resource Sharing (CORS) vulnerability exists in modelscope/agentscope version v0.0.4. The CORS configuration on the agentscope server does not properly restrict access to only trusted origins, allowing any external domain to make requests to the API. This can lead to unauthorized data access, information disclosure, and potential further exploitation. Source: GHSA-75V5-6885-59F9

Sponsored by Wallarm API Security Solution

Final Words

That's it for today's edition of the Secret CISO newsletter. We've covered a lot of ground, from data breaches to security investigations and lawsuits. It's clear that the cybersecurity landscape is ever-evolving, and staying informed is the first step to staying secure. Remember, security isn't just the responsibility of your IT department. It's a team effort. So, share this newsletter with your colleagues to keep them in the loop.

Stay safe, stay secure, and see you next time! P.S. If you have any questions or topics you'd like us to cover, feel free to drop us a line. We're here to help!