Welcome to today's issue of Secret CISO, your daily dose of cybersecurity news and insights. Today, we're diving into a series of data breaches and leaks that have been making headlines.

First up, we have the Malta Financial Services Authority (MFSA) being held responsible for a data leak, as confirmed by an appeals court. This case highlights the importance of robust data protection measures, even within regulatory bodies. In the US, ParkMobile and USAA have both settled data breach class actions, with ParkMobile agreeing to a $32.8M settlement and USAA settling for $3.25M. These cases underline the financial implications of data breaches and the growing trend of class action lawsuits in response to such incidents.

Meanwhile, Zurich Insurance Group is facing allegations of a data breach, with a threat actor claiming to have stolen sensitive company data. This incident serves as a reminder that even large, well-established organizations are not immune to cyber threats. In other news, the California Privacy Protection Agency has shut down a data brokerage through Delete Act enforcement following a data breach in 2024. This move demonstrates the increasing regulatory action being taken to protect consumer data.

Finally, we delve into the world of cybersecurity research, with reports on the bypassing of AV detection and anti-malware scans, the patching of critical vulnerabilities in VMware, and the discovery of a new botnet infecting IoT devices. Stay tuned for more updates and remember, knowledge is the first line of defense in cybersecurity. Stay safe!

Data Breaches

1. MFSA Responsible for Data Leak: The Malta Financial Services Authority (MFSA) has been held responsible for a data leak involving a confidential regulatory decision. The leak was confirmed by an appeals court following a complaint filed by Lawyer Christian Ellul and accountant Karl Schranz. Source: MaltaToday
2. Zurich Insurance Suffers Alleged Data Breach: A threat actor has claimed a cyber attack on Zurich Insurance Group, allegedly stealing sensitive company data. The extent of the breach and the type of data stolen are yet to be confirmed. Source: Cyber Daily
3. Hunters International Ransomware Claims Attack on Tata Technologies: Tata Technologies, the Indian tech giant, reported a security breach by ransomware actors in January 2025. The attack disrupted parts of its IT systems, although the extent of the damage is not yet known. Source: Bleeping Computer
4. California Privacy Protection Agency Shuts Down Data Brokerage: The California Privacy Protection Agency (CPPA) has shut down a data brokerage, NPD, following a data breach in 2024 that exposed 2.9 billion records. The CPPA alleged that NPD did not register as required under the Delete Act. Source: Clark Hill
5. Angel One Breach Compromises Client Data: Angel One, a financial services company, was alerted by a 'dark web monitoring partner' about a possible data leak. The extent of the breach and the type of data compromised are yet to be confirmed. Source: SC Media

Security Research

1. AV Detection & Anti-Malware Scans Bypassed Using Red Team Tool SpecterInsight: A researcher at Practical Security Analytics LLC has highlighted an evolution in the security landscape, with Windows Defender now detecting manipulation. This development underscores the importance of constantly updating security measures to keep up with evolving threats. Source: cybersecuritynews.com
2. GreyNoise Intelligence Releases New Research on Cybersecurity Vulns: GreyNoise's new report underscores the speed and unpredictability of mass exploitation, emphasizing the need for real-time intelligence for security teams. The research provides valuable insights into the current state of cybersecurity vulnerabilities. Source: darkreading.com
3. VMware patches 3 critical vulnerabilities in multiple product lines: Security researcher Kevin Beaumont has highlighted the critical nature of vulnerabilities in VMware's product lines. If these vulnerabilities are exploited, attackers could potentially access every system. VMware has since patched these vulnerabilities. Source: arstechnica.com
4. Unmanned Aircraft Systems Help Responders in Urban Environments: The National Urban Security Technology Laboratory has tested how Unmanned Aircraft Systems (UAS) can support first responders in urban environments. The research could potentially lead to more effective response strategies in urban crises. Source: dhs.gov
5. New Eleven11bot botnet infects 86,000 devices for DDoS attacks: Nokia researchers have discovered a new botnet, Eleven11bot, which has already infected 86,000 devices for Distributed Denial of Service (DDoS) attacks. The discovery highlights the ongoing threat of botnets and the importance of robust cybersecurity measures. Source: bleepingcomputer.com

Top CVEs

1. CVE-2025-22226 - VMware ESXi, Workstation, and Fusion Information Disclosure Vulnerability: An out-of-bounds read in HGFS could allow a malicious actor with administrative privileges to a virtual machine to leak memory from the vmx. This vulnerability could lead to information disclosure. Source: CVE-2025-22226
2. CVE-2025-22224 - VMware ESXi, and Workstation TOCTOU Vulnerability: A TOCTOU (Time-of-Check Time-of-Use) vulnerability that leads to an out-of-bounds write. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process. Source: CVE-2025-22224
3. CVE-2025-1932 - Inconsistent Comparator in xslt/txNodeSorter in Firefox: An inconsistent comparator in xslt/txNodeSorter could result in potentially exploitable out-of-bounds access. This vulnerability affects Firefox versions 122 and later. Source: CVE-2025-1932
4. CVE-2025-22225 - VMware ESXi Arbitrary Write Vulnerability: A malicious actor with privileges within the VMX process may trigger an arbitrary kernel write leading to an escape of the guest operating system. Source: CVE-2025-22225
5. CVE-2025-27507 - IDOR Vulnerabilities in ZITADEL's Admin API: ZITADEL's Admin API contains Insecure Direct Object Reference (IDOR) vulnerabilities that allow authenticated users, without specific IAM roles, to modify sensitive settings. The most critical vulnerability lies in the ability to manipulate LDAP configurations. Source: CVE-2025-27507

API Security

1. Exploit for CVE-2025-1094: This exploit targets a vulnerability in PostgreSQL's misconfigured functions, allowing for SQL Injection, WebSocket Hijacking, and Remote Code Execution (RCE). The attacker can gain full control over the server, leading to further exploitation. Users are advised to ensure their PostgreSQL functions are correctly configured to prevent such attacks. Source: vulners.com
2. CVE-2025-27507 IDOR Vulnerabilities in ZITADEL's Admin API: ZITADEL's Admin API contains Insecure Direct Object Reference (IDOR) vulnerabilities that allow authenticated users to modify sensitive settings. The most critical vulnerability lies in the ability to manipulate LDAP configurations. Users who do not utilize LDAP for authentication are not at risk, but upgrading to the patched version is strongly recommended. Source: vulners.com
3. Exploit for Code Injection in Langchain Langchain-Experimental: This exploit demonstrates the vulnerability CVE-2024-21513 in the langchain-experimental package. The vulnerability allows arbitrary code execution via the VectorSQLDatabaseChain component when retrieving values from the database. Users are advised to update to a secure version of the package. Source: vulners.com

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. From data leaks to security breaches, we've covered a lot of ground. But remember, in the world of cybersecurity, knowledge is power. So, stay informed, stay vigilant, and most importantly, stay secure.

If you found this newsletter helpful, don't keep it to yourself. Share it with your colleagues, friends, and fellow security enthusiasts. Let's spread the word and foster a culture of cybersecurity awareness.

Stay tuned for our next edition. Until then, keep those firewalls up and those passwords strong. Stay safe, stay secure. Secret CISO, signing off.