Welcome to today's edition of Secret CISO, your daily dose of the latest in cybersecurity news. Today, we're diving into a series of data breaches that have hit major institutions and companies, revealing the ever-present threat of cyber attacks. First on our list is Lee University, currently facing federal lawsuits for their response to a data breach in 2024. The university is not alone, as cereal giant WK Kellogg also fell victim to a data breach early this year, affecting an unknown number of people. The company has confirmed that employee information was leaked as a result of the breach. In other news, Australia's biggest superannuation fund was questioned by its own clients about a security weakness in its accounts before cybercriminals stole data. This highlights the importance of listening to user concerns about security vulnerabilities.

Meanwhile, the Port of Seattle is under investigation for a data breach, and customers are being asked about a potential class action over loss of privacy. In a different sector, genetic testing company 23andMe suffered a data breach, serving as a wake-up call for consumer privacy and corporate accountability. Unlike credit card numbers or passwords, your genetic data is immutable, and once compromised, there's no resetting your DNA. Lastly, we delve into the world of AI, with Google building a cybersecurity assistant for information security professionals. However, a security researcher has demonstrated AI's ability to forge passports that fool verification systems, raising concerns about potential misuse.

Stay tuned for more updates and remember, knowledge is the first line of defense in cybersecurity. Stay safe!

Data Breaches

1. Lee University Data Breach Lawsuits: Lee University is facing several lawsuits following a data breach in 2024. The complaints, filed in Chattanooga Federal Court, are seeking damages for the university's alleged mishandling of the incident. Source: Chattanoogan.com
2. Kellogg's Data Breach: Cereal giant WK Kellogg suffered a data breach in early 2025, affecting an unknown number of people. The company has filed a notice of the breach with the Attorney General of Maine. Source: TechRadar and JDSupra
3. Port of Seattle Data Breach: The Port of Seattle has suffered a data breach, potentially exposing sensitive data of its users. A class action lawsuit is being considered over the loss of privacy and other damages. Source: ClassAction.org
4. Australian Super Fund Cyberattacks: Australia's largest superannuation fund was questioned by its own clients about a security weakness in its accounts before cybercriminals stole sensitive data. The exact number of affected users is still unknown. Source: ABC News
5. DBS, Bank of China Data Attack: More than 11,000 customers of DBS and Bank of China had their information compromised following a data attack. The Cyber Security Agency of Singapore and Monetary Authority of Singapore have issued a joint statement regarding the incident. Source: The Straits Times

Security Research

1. "Google's Experimental AI Model for Cybersecurity": Google has developed an AI-based cybersecurity assistant aimed at aiding information security professionals. The tech giant is now inviting researchers to explore and experiment with the model, hoping to discover new security use cases. Source: CyberScoop
2. "ToddyCat APT Exploits ESET Bug for Malware Deployment": Security researcher Andrey Gunkin has reported that ToddyCat, a threat actor with likely ties to China, is exploiting a bug in ESET's software to silently load malware. This highlights the ongoing threat posed by advanced persistent threats (APTs). Source: Dark Reading
3. "AI Data Leak Exposes Thousands of Prompts": Security researcher Jeremiah Fowler discovered an unprotected database belonging to South Korean AI company GenNomis. The leak exposed over 95,000 prompts, serving as a wake-up call for the potential security risks associated with AI technologies. Source: Tom's Guide
4. "Fake Passport Creation Using ChatGPT": A security expert has demonstrated the potential misuse of AI by creating a convincing fake passport using OpenAI's language model, ChatGPT. This experiment underscores the need for robust verification systems to counter AI-enabled forgery. Source: Boing Boing
5. "Dual Life of EncryptHub: Cybercriminal and Windows Bug-Bounty Researcher": Security Analyst Hector Garcia has linked the cybercriminal activities of EncryptHub to a Windows bug-bounty researcher, SkorikARI. This case highlights the blurred lines between ethical hacking and cybercrime. Source: BleepingComputer

Top CVEs

1. Improper Neutralization of Special Elements in Apache Airflow Common SQL Provider: A vulnerability in Apache Airflow Common SQL Provider allows an authenticated UI user to inject arbitrary SQL commands when triggering DAG exposing partition_clause to the user. This could lead to privilege escalation. Users are recommended to upgrade to version 1.24.1. Source: CVE-2025-30473
2. Improper Deserialization in WildFly and JBoss EAP: A security flaw exists in WildFly and JBoss EAP within the Enterprise JavaBeans (EJB) remote invocation mechanism. This vulnerability stems from untrusted data deserialization handled by JBoss Marshalling, allowing an attacker to execute remote code. Source: CVE-2025-2251
3. DLL Search Order Hijacking Vulnerability: This vulnerability potentially allows an attacker with administrator privileges to load a malicious dynamic-link library and execute it. Source: CVE-2024-11859
4. SQL Injection in Online Restaurant Management System: A critical vulnerability was found in codeprojects Online Restaurant Management System 1.0. The manipulation of the argument ID in the file /admin/user_update.php leads to SQL injection. The attack can be launched remotely. Source: CVE-2025-3339
5. Permissive Cross-domain Policy in DestinyECM Solution: A vulnerability in the local API server of DestinyECM solution allows Cross-Site Request Forgery (CSRF) attack, which probabilistically enables JSON Hijacking (aka JavaScript Hijacking) via forgery web page. Source: CVE-2024-11071

API Security

1. VAPIX Device Configuration Framework Unauthenticated Username Enumeration: A flaw in the VAPIX Device Configuration framework was discovered during an annual penetration test, which allowed for unauthenticated username enumeration through the VAPIX Device Configuration SSH Management. Source: CVE-2025-0361
2. VAPIX API Insufficient Input Validation: The VAPIX API uploadoverlayimage.cgi did not have sufficient input validation, allowing an attacker to upload files to block access to create image overlays in the web interface of the Axis. Source: CVE-2024-47261
3. mymagicpower AIAS Server-Side Request Forgery: A critical vulnerability was found in mymagicpower AIAS 20250308. The manipulation of the argument URL in AsrController.java leads to server-side request forgery. The attack may be initiated remotely. Source: CVE-2025-3411
4. Libxml2 Python API Out-of-Bounds Memory Access: In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) due to an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and... Source: CVE-2025-32414
5. Apollo Router Query Planner Vulnerable to Excessive Resource Consumption: A vulnerability in Apollo Router allowed queries with deeply nested and reused named fragments to be prohibitively expensive to query plan, specifically due to internal optimizations being frequently bypassed. This could lead to excessive resource consumption and denial of service. Source: CVE-2025-32032

Sponsored by Wallarm API Security Solution

Final Words

That's all for today's edition of Secret CISO. We hope you found these updates helpful. Remember, staying informed is the first step in protecting your organization from security threats. Don't forget to share this newsletter with your friends and colleagues to help them stay secure too. Until next time, stay safe and secure!