Welcome to today's edition of Secret CISO, where we delve into the latest happenings in the world of cybersecurity. Today, we're unpacking a series of data breaches that have sent shockwaves across various sectors. First up, we're looking at a data breach involving a chatbot from Canvas LMC that has been tracking student data, revealing some shocking studying patterns. Meanwhile, Highline Public Schools is implementing additional security measures following a data breach last September. In the corporate world, Zoll has managed to get parts of a data breach class action tossed, while a data breach at Lockton Companies has exposed personal information, prompting a legal investigation. Government entities are not immune either, with Hamilton County government responding to a nationwide data breach affecting EMS patients' financial information. This has sparked a debate among county officials over the handling of the data breach notification. In the tech industry, a massive data breach at Elon Musk's X has reportedly exposed data of millions of accounts. Meanwhile, the Daisy Trudeau Insurance Services data breach is under investigation by Levi & Korsinsky, LLP. In other news, GitHub is expanding its security tools after 39 million secrets were leaked in 2024, and US cyber expert Wang Xiaofeng is reported to be safe after FBI raids. Stay tuned for more updates and remember, in the world of cybersecurity, staying informed is your first line of defense.

Data Breaches

1. Chatbot Data Breach Reveals Shocking Studying Patterns: A recent data breach at Canvas LMC exposed that the Canvas Chatbot, which regularly asks students to report on their mood, has been tracking data. Source: Tulane Hullabaloo
2. Highline Public Schools Data Breach Update: Highline Public Schools is implementing additional security measures following a data breach last September. The incident was also reported to authorities. Source: Westside Seattle
3. Zoll Data Breach Class Action Partially Dismissed: Zoll, a medical device manufacturer, was hit with an email phishing attack in December 2023 that compromised employee names, addresses, and Social Security numbers. Parts of the ensuing class action have been dismissed. Source: Law360
4. Lockton Companies Data Breach Exposes Personal Information: Murphy Law Firm is investigating legal claims on behalf of individuals whose information was exposed in a data breach at Lockton Companies. Source: GlobeNewswire
5. Hamilton County Responds to Nationwide Recovery Services Data Breach: Hamilton County government is addressing a nationwide data breach affecting EMS patients' financial information. The breach has sparked controversy over transparency and accountability. Source: Local 3 News

Security Research

1. US Cyber Expert Wang Xiaofeng 'Is Safe' After FBI Raids: US cybersecurity expert Wang Xiaofeng is reported to be safe after FBI raids, according to a fellow researcher. The details surrounding the case remain undisclosed. Source: SCMP
2. Kaspersky Discovers & Patches Zero-Day Chrome Flaw: Boris Larin, Principal Security Researcher at Kaspersky GReAT, announced the discovery of a significant zero-day vulnerability in Chrome. The flaw has been patched, protecting users from potential exploitation. Source: SecurityBrief New Zealand
3. Verizon Call Filter API Flaw Exposed Customers' Incoming Call History: A flaw in Verizon's Call Filter API exposed customers' incoming call history. The issue was promptly addressed by Verizon, but the incident highlighted some concerning security practices. Source: Bleeping Computer
4. DeepMind's 145-Page Paper on AGI Safety May Not Convince Skeptics: DeepMind's extensive paper on AGI safety has sparked debate in the AI research community. Critics argue that the paper may not be convincing enough to alleviate concerns about automating AI safety research. Source: TechCrunch
5. Counterfeit Android Devices Found Preloaded with Triada Malware: Security researchers discovered counterfeit versions of popular smartphone models sold online preloaded with Triada malware. The discovery underscores the risks associated with purchasing discounted devices from unverified online stores. Source: Bleeping Computer

Top CVEs

1. CVE-2024-36465 - Zabbix User API SQL Injection Vulnerability: A Zabbix user with API access can exploit a SQL injection vulnerability to execute arbitrary SQL commands. This vulnerability can be exploited by a low privilege user, posing a significant security risk. Source: CVE-2024-36465
2. CVE-2024-45700 - Zabbix Server DoS Vulnerability: Zabbix server is vulnerable to a DoS attack due to uncontrolled resource exhaustion. An attacker can send specially crafted requests to the server, causing it to allocate excessive memory and perform CPU-intensive operations, leading to service disruption. Source: CVE-2024-45700
3. CVE-2023-40714 - Fortinet FortiSIEM Path Traversal Vulnerability: A relative path traversal vulnerability in Fortinet FortiSIEM allows an attacker to escalate privileges via certain GUI operations. This vulnerability affects multiple versions of Fortinet FortiSIEM. Source: CVE-2023-40714
4. CVE-2025-20212 - Cisco AnyConnect VPN Server DoS Vulnerability: A vulnerability in the Cisco AnyConnect VPN server could allow an authenticated, remote attacker to cause a denial of service (DoS) condition. The attacker must have valid VPN user credentials on the affected device to exploit this vulnerability. Source: CVE-2025-20212
5. CVE-2025-2005 - WordPress Front End Users Plugin File Upload Vulnerability: The Front End Users plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation. This vulnerability allows unauthenticated attackers to upload arbitrary files on the affected site's server, potentially leading to remote code execution. Source: CVE-2025-2005

API Security

1. Critical Vulnerability in fcba_zzm ics-park Smart Park Management System 2.1: A critical vulnerability has been found in the fcba_zzm ics-park Smart Park Management System 2.1, affecting unknown code of the file /api/system/dept/update. The vulnerability can lead to SQL injection and can be initiated remotely. The exploit has been made public. Source: CVE-2025-3135
2. Exploit for CVE-2025-29927 in Next.js Project: A sample Next.js project has been bootstrapped to explain how CVE-2025-29927 works. The exploit involves the use of the x-middleware-subrequest header to bypass middleware, potentially allowing rules to be overridden. Source: CVE-2025-29927
3. Jenkins AsakusaSatellite Plugin Stores API Keys Unencrypted: The Jenkins AsakusaSatellite Plugin 0.1.1 and earlier versions store AsakusaSatellite API keys unencrypted in job config.xml files on the Jenkins controller. These keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Source: GHSA-FV9Q-FQ62-C6QG
4. Jenkins Cadence vManager Plugin Stores Verisium Manager vAPI keys Unencrypted: The Jenkins Cadence vManager Plugin 4.0.0-282.v5096a_c2db_275 and earlier versions store Verisium Manager vAPI keys unencrypted in job config.xml files on the Jenkins controller. These keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Source: GHSA-X9HJ-Q7XV-FV4V
5. Jenkins Stack Hammer Plugin Stores API Keys Unencrypted: The Jenkins Stack Hammer Plugin 1.0.6 and earlier versions store Stack Hammer API keys unencrypted in job config.xml files on the Jenkins controller. These keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Source: GHSA-2WXQ-944J-5G2V

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. From chatbot data breaches to security measures being implemented in public schools, it's clear that the world of cybersecurity is as dynamic as ever. Remember, staying informed is the first step in staying secure. If you found today's newsletter helpful, please consider sharing it with your colleagues and friends. Together, we can create a safer digital world. Until next time, stay safe and stay vigilant.

P.S. Don't forget to check out the latest exploits and vulnerabilities at the end of the newsletter. Knowledge is power, after all.