Good morning, Secret CISO readers! Today's newsletter is packed with critical updates on the ever-evolving cybersecurity landscape.

Firstly, a recent report reveals that 53% of security teams lack continuous and up-to-date visibility into their own data, exacerbating security risks as AI adoption increases. This lack of visibility is a ticking time bomb for enterprises, and we'll delve into the implications of this in today's issue. In legal news, a whopping $9.95 million data breach settlement could see Americans pocketing up to $12.5k each. We'll explore the details of this settlement and what it means for data breach accountability.

On the global front, UAT-5918 is targeting Taiwan's critical infrastructure using web shells and open-source tools. We'll break down the attack chains and discuss the potential fallout. In healthcare, College Hospital Costa Mesa has discovered more patient information exposed in a 2024 data breach, and Watsonville Community Hospital is yet to notify all those affected by a November data breach. We'll examine these incidents and their implications for patient data security.

Meanwhile, the New York Attorney General has secured a $975K settlement from Root Insurance over a data breach, bringing the total collected from auto insurance companies for data security failures to $6.57 million.

Finally, we'll look at why cyber quality is key to security, and share recommendations for a comprehensive federal data protection law. Stay tuned for these stories and more in today's Secret CISO newsletter. Stay safe and informed!

Data Breaches

1. Enterprises lack visibility into their own data: A recent report reveals that 53% of security teams lack continuous and up-to-date visibility into their own data, leading to increased security risks. This issue is becoming more critical as organizations increase AI adoption. Source: Help Net Security
2. UAT-5918 Targets Taiwan's Critical Infrastructure: The hacker group UAT-5918 is exploiting N-day security flaws in unpatched web and application servers to gain initial access to Taiwan's critical infrastructure. The group uses web shells and open-source tools to orchestrate attack chains. Source: The Hacker News
3. College Hospital Costa Mesa Data Breach: More patient information was exposed in a 2024 data breach at College Hospital Costa Mesa than initially reported. The hospital has contracted with a Chicago-based data breach law firm to investigate the incident. Source: LA Times
4. Root Insurance Data Breach Settlement: The New York Attorney General has secured a $975K settlement from Root Insurance over a data breach. This enforcement brings the total collected from auto insurance companies for data security failures to $6.57 million. Source: Finger Lakes 1
5. Oracle Denies Data Breach: Oracle denies a data breach after a threat actor claimed to be selling 6 million data records allegedly stolen from the company's Oracle Cloud. The company is currently investigating the claim. Source: Bleeping Computer

Security Research

1. Defense Research Cut in Final FY25 Budget - AIP.ORG: The final FY25 budget has seen a cut in Defense Security Research, impacting S&T programs at DOD. The legislation specifies total amounts for RDT&E across the Army, Navy, Air Force. Source: AIP.ORG
2. Old ServiceNow vulnerabilities could cause havoc for unpatched customers - ITPro: Security research at AppOmni has highlighted that old vulnerabilities in ServiceNow could cause significant issues for customers who have not patched their systems. Source: ITPro
3. Thorchain watched Lazarus launder $900m in stolen crypto. That's a big problem for DeFi: Security researcher at MetaMask has shed light on how Thorchain observed Lazarus laundering $900m in stolen crypto, posing a significant problem for DeFi. Source: DLNews
4. US denies French researcher was refused entry for his political views | The Straits Times: The US Department of Homeland Security has denied that a French researcher was refused entry due to his political views, stating that he was carrying confidential information. Source: The Straits Times
5. Cisco smart licensing system sees critical security flaws exploited - TechRadar: Security researchers have found that two critical flaws in Cisco's Smart Licensing Utility are being exploited in the wild, one of which is a hardcoded admin account. Source: TechRadar

Top CVEs

1. CVE-2021-25635 - LibreOffice Improper Certificate Validation: LibreOffice versions 7.0 before 7.0.5 and 7.1 before 7.1.2 have an Improper Certificate Validation vulnerability. An attacker could self-sign an ODF document, modify it to change the signature algorithm to an invalid one, and LibreOffice would incorrectly present it as a valid signature issued by a trusted person. Source: CVE-2021-25635
2. CVE-2019-16151 - FortiOS Improper Neutralization of Input: FortiOS versions 6.4.1 and below, 6.2.9 and below have a vulnerability that may allow a remote unauthenticated attacker to redirect users to malicious websites or execute JavaScript code in the victim's browser context. This happens when the FortiGate has web filtering and category override enabled. Source: CVE-2019-16151
3. CVE-2025-29927 - Next.js Authorization Bypass: Next.js, a React framework for building full-stack web applications, versions prior to 14.2.25 and 15.2.3, have a vulnerability that allows bypassing authorization checks within a Next.js application if the authorization check occurs in middleware. Source: CVE-2025-29927
4. CVE-2025-25068 - Mattermost MFA Bypass: Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to enforce MFA on plugin endpoints, allowing authenticated attackers to bypass MFA protections via API requests to plugin-specific endpoints. Source: CVE-2025-25068
5. CVE-2025-24915 - Nessus Agent Privilege Escalation: Nessus Agent versions prior to 10.8.3, when installed to a non-default location on a Windows host, did not enforce secure permissions for sub-directories. This could allow for local privilege escalation if users had not secured the directories in the non-default installation location. Source: CVE-2025-24915

API Security

1. TeamPass 3.0.0.21 - SQL Injection: TeamPass 3.0.0.21 has been identified with a SQL Injection vulnerability. This vulnerability allows attackers to execute arbitrary SQL commands via unspecified vectors. Users are advised to update to the latest version to mitigate the risk. Source: vulners.com
2. CVE-2025-30204 - golang-jwt: A vulnerability in the Go implementation of JSON Web Tokens allows for potential denial of service attacks. The issue arises from the function parse.ParseUnverified splitting its argument on periods, leading to excessive memory allocation. This issue is fixed in versions 5.2.2 and 4.5.2. Source: vulners.com
3. InvokeAI Deserialization of Untrusted Data vulnerability: InvokeAI versions 5.3.1 through 5.4.2 are vulnerable to remote code execution via the /api/v2/models/install API. The vulnerability arises from unsafe deserialization of model files using torch.load without proper validation. This issue is fixed in the latest version. Source: vulners.com
4. Envoy crashes when HTTP ext_proc processes local replies: Envoy's ext_proc HTTP filter can crash if a local reply is sent to the external server due to the filter's lifetime issue. This can lead to denial of service. This vulnerability is fixed in versions 1.33.1, 1.32.4, 1.31.6, and 1.30.10. Source: vulners.com
5. CVE-2025-30157 - Envoy: Envoy's ext_proc HTTP filter can crash if a local reply is sent to the external server due to the filter's lifetime issue. This can lead to denial of service. This vulnerability is fixed in versions 1.33.1, 1.32.4, 1.31.6, and 1.30.10. Source: vulners.com

Sponsored by Wallarm API Security Solution

Final Words

As we wrap up today's edition of Secret CISO, we're reminded of the importance of continuous visibility in our security systems. With over half of security teams lacking this crucial aspect, it's clear that we need to step up our game. Data breaches are becoming more common, with enterprises and individuals alike falling victim. From the $9.95 million data breach settlement that could see Americans receiving up to $12.5k, to the College Hospital Costa Mesa discovering more patient info exposed in a 2024 data breach, it's clear that no one is safe. In the face of these threats, it's crucial that we stay vigilant and proactive.

Whether it's through strengthening our security systems, staying updated on the latest threats, or sharing valuable information with our peers, every action counts. So, as we sign off for today, we urge you to share this newsletter with your friends and colleagues.

Let's work together to create a safer digital world. Until next time, stay safe and stay informed. The more we know, the better we can protect ourselves and our organizations.