Welcome to today's issue of Secret CISO, your daily dose of the latest in cybersecurity news. Today, we're diving into a series of data breaches that have exposed millions of records and resulted in hefty settlements.

First up, we have a breach at Carruth, a third-party administrator, which has exposed data of participants at community colleges and public schools. Meanwhile, in India, a staggering 87% of citizens fear data breaches, with half of them worried about the security of their Aadhaar data. Employee screening services aren't safe either, with DISA Global Solutions suffering a breach that affects over 3.3 million people. On the legal front, ParkMobile has agreed to a $32.8M payout over a data breach lawsuit, and Globe Life is facing a class action over a 2024 data breach.

In the world of cybercrime, the Qilin Cyber Gang is claiming credit for a massive data breach at Lee Newspaper, and a ransomware attack at an Australian IVF provider has exposed sensitive patient data on the dark web. On the tech side, Trend Micro has unveiled an AI model to boost threat prevention and reduce data breach risks, while T-Mobile is set to shell out $350 million to customers in the wake of a massive data breach. In research news, we have insights from security experts on leveraging real-time intelligence for executive security, the role of AI in national security, and the latest in quantum security research.

Finally, we wrap up with a slew of new vulnerabilities and patches, including a critical goroutine leak vulnerability in the Abacus server's Server-Sent Events (SSE) implementation, and multiple vulnerabilities in the VAPIX API of Axis Communication's devices. Stay safe and informed with Secret CISO.

Data Breaches

1. TPA Breach Exposes Data of Participants at Community Colleges, Public Schools: A data security incident at Carruth has exposed the data of participants at community colleges and public schools. The affected institutions were notified about the breach on January 13. Source: plansponsor.com
2. 87% Indians fear data breach, 50% worried about Aadhaar security: A recent survey reveals that the percentage of Indian citizens who believe their personal data is in the public domain or leaked has increased from 72% to 87% in the last 36 months. Source: business-standard.com
3. Employee screening data breach exposes 3.3 million records: DISA Global Solutions, a provider of employee screening services, suffered a data breach affecting more than 3.3 million people. Source: cyberguy.com
4. ParkMobile App Settlement: Company Agrees To $32.8M Payout Over Data Breach Lawsuit: ParkMobile has reached a settlement of a class action lawsuit concerning a data breach that occurred in March 2021. The company has agreed to a $32.8M payout. Source: blavity.com
5. Data breach at employee screening co. impacts hundreds of thousands in Mass: A data breach at DISA Global Solutions has exposed the personal data of hundreds of thousands of individuals in Massachusetts. The stolen data includes social security numbers, financial account details, and government-issued identification documents. Source: nbcboston.com

Security Research

1. New Combat USV Design Breaks Cover at Drone Show in South Korea: Security researcher Eunhyuk Cha has shown interest in the new combat USV design unveiled at a drone show in South Korea. The research focuses on international relations and security studies. Source: Naval News
2. Effort Reporting Video Tutorials | Research Integrity & Security: The University of Nevada, Reno has released video tutorials on research integrity and security. These tutorials are in response to a number of Executive Orders that have implications for federal proposals and awards. Source: University of Nevada, Reno
3. AI's Role in National Security Hinges on Data Quality: Naval Research Laboratory Research Scientist Raj Dasgupta discusses the importance of data quality in AI's role in national security. The research emphasizes the need for high-quality data for effective security. Source: GovCIO Media & Research
4. Rensselaer Cybersecurity Collaboratory Researchers Break New Ground in Quantum Security: Researchers from the Rensselaer Cybersecurity Collaboratory are making significant strides in quantum security, a field that is rapidly reshaping the landscape of digital security. Source: Rensselaer Cybersecurity Collaboratory
5. Attackers Leverage Microsoft Teams and Quick Assist for Access: Security researchers at Trend Micro have uncovered a sophisticated cyber-attack that leverages Microsoft Teams and Quick Assist for access. The attack uses social engineering tactics and widely used remote access tools. Source: Infosecurity Magazine

Top CVEs

1. Flask-AppBuilder Username Enumeration: Prior to version 4.5.3, Flask-AppBuilder allowed unauthenticated users to enumerate existing usernames by timing the server's response to login requests. This vulnerability has been fixed in the latest version. Source: CVE-2025-24023
2. GitLab-EE XSS Vulnerability: A Cross-Site Scripting (XSS) vulnerability in GitLab-EE affecting versions 16.6 to 17.9.1 allows an attacker to bypass security controls and execute arbitrary scripts in a user's browser. The issue has been addressed in the latest updates. Source: CVE-2025-0555
3. NotFound Ark Theme Core Code Injection: An Improper Control of Generation of Code vulnerability in NotFound Ark Theme Core allows Code Injection. The issue affects Ark Theme Core versions up to the latest. Source: CVE-2025-26970
4. GitLab CE/EE XSS Vulnerability: An issue in GitLab CE/EE affecting versions 15.10 to 17.9.1 could potentially allow unintended content rendering leading to XSS under specific conditions. The issue has been fixed in the latest updates. Source: CVE-2025-0475
5. Grub2 Integer Overflow: A flaw in grub2 can lead to an integer overflow during buffer size calculations when reading from a maliciously crafted filesystem, leading to a heap-based out-of-bounds write and potentially bypassing secure boot. Source: CVE-2025-0684

API Security

1. VAPIX Device Configuration Framework Flaw (CVE-2025-0360): Truesec discovered a flaw in the VAPIX Device Configuration framework during an annual penetration test for Axis Communication. The flaw could lead to an incorrect user privilege level in the VAPIX service account D-Bus. Source: CVE-2025-0360.
2. VAPIX API Race Condition Attack (CVE-2024-47262): Dzmitry Lukyanenka found that the VAPIX API param.cgi was vulnerable to a race condition attack, potentially blocking access to the web interface of the Axis device. Axis has released patched AXIS OS versions for the flaw. Source: CVE-2024-47262.
3. OpenZiti Endpoint Vulnerability (CVE-2025-27500): An endpoint on the OpenZiti admin panel could be accessed without authentication, potentially leading to a stored cross-site scripting attack if a malicious file is uploaded and executed within the user's browser. The vulnerability has been fixed. Source: CVE-2025-27500.
4. Goroutine Leak in Abacus SSE Implementation: A critical goroutine leak vulnerability has been identified in the Abacus server's Server-Sent Events (SSE) implementation. The issue occurs when clients disconnect from the /stream endpoint, leading to resource exhaustion. The vulnerability has been fixed in Abacus v1.4.0. Source: Goroutine Leak in Abacus SSE Implementation.
5. Ansible AAP-Gateway Flaw (CVE-2025-1801): A flaw in the Ansible aap-gateway could result in concurrency issues due to race condition requests against the proxy. This issue potentially allows a less privileged user to obtain the JWT of a greater privileged user, jeopardizing the server. Source: CVE-2025-1801.

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. We hope you found this information valuable in staying ahead of potential security threats. Remember, knowledge is power, especially when it comes to data security.

If you found this newsletter helpful, please consider sharing it with your colleagues and friends.

Together, we can create a safer digital world. Stay safe, stay informed, and see you in the next edition of Secret CISO.