Cisco discovered CVE-2025-20309, a backdoor vulnerability, in its Unified Communications Manager with unchangeable default root credentials ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌  ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ 

TLDR

TLDR Information Security 2025-07-04

🔓

Attacks & Vulnerabilities

Young Consulting finds even more folks affected in breach mess – now over 1 million (3 minute read)

Young Consulting (now Connexure) experienced a ransomware attack in April 2024 that impacted over 1 million individuals. The BlackSuit group claimed responsibility. The breached data included names, Social Security numbers, birth dates, and insurance details.
Cisco fixes maximum-severity flaw in enterprise unified comms platform (CVE-2025-20309) (2 minute read)

Cisco discovered CVE-2025-20309, a backdoor vulnerability, in its Unified Communications Manager with unchangeable default root credentials. It affects only Engineering Special releases (15.0.1.13010-1 through 15.0.1.13017-1), allowing remote attackers root access. The vulnerability was found during internal testing with no known exploitation.
Grafana releases critical security update for Image Renderer plugin (2 minute read)

Grafana Labs has issued security updates for its Image Renderer plugin and Synthetic Monitoring Agent to fix four high-severity Chromium vulnerabilities (CVE-2025-5959, CVE-2025-6554, CVE-2025-6191, and CVE-2025-6192). These flaws could allow remote code execution, memory access, and heap corruption via crafted HTML pages. Affected versions are those prior to 3.12.9 for Image Renderer and 0.38.3 for Monitoring Agent, both of which include a headless Chromium browser for dashboard rendering. Users should update immediately. Cloud and Azure instances have already been patched.
🧠

Strategies & Tactics

Outsourced Trust: How Coinbase's $400M Problem Started in an Indian Call Center (5 minute read)

Coinbase suffered a data breach that affected 69,461 users when outsourced call center employees illegally accessed customer information. The attackers demanded a $20 million ransom, but Coinbase offered a $20 million bounty instead. The breach enabled social engineering scams, resulting in losses exceeding $ 65.7 million.
Guest Post: How I Scanned all of GitHub's “Oops Commits” for Leaked Secrets (12 minute read)

A security researcher discovered that GitHub permanently stores "deleted" commits from force pushes as "zero-commit" PushEvents in the GitHub Archive, making supposedly removed secrets still accessible via commit hashes. By scanning all zero-commit force push events since 2020 using the GitHub Event API and GitHub Archive data, the researcher built automated tools to identify and analyze these hidden commits for leaked credentials, uncovering $ 25,000 worth of active secrets. Key security strategies include implementing pre-commit secret scanning, treating any committed secret as permanently compromised regardless of deletion attempts, immediately revoking exposed credentials, and protecting .env files, which were the most common source of leaked secrets.
Reverse Engineering Cursor's LLM Client (6 minute read)

In this post, the authors used TensorZero, an open-source framework for optimizing LLM applications with downstream feedback signals, to observe the API calls and tokens sent between Cursor and the LLM providers. They first ran into errors connecting to TensorZero running locally because Cursor first sends a request to Cursor's servers for additional processing, so the authors needed to set up a reverse proxy to expose a public endpoint that would forward requests back to the local machine. They then had to solve for CORS issues. Eventually, they managed to wire Cursor up properly and included sample system prompts and interactions between a user session and what Cursor generates.
🧑‍💻

Launches & Tools

ShadowCrypt (GitHub Repo)

Proactive ransomware defense and secure file hiding for Windows. Effortlessly protect, access, and recover sensitive files using encrypted mappings and smart shortcuts.
Secrets Ninja (GitHub Repo)

Secrets Ninja is a GUI-based tool that validates API keys and credentials found during penetration testing. It tests these secrets directly from your browser using frontend JavaScript, ensuring that no sensitive information is ever collected or logged.
TrollRPC (GitHub Repo)

TrollRPC is a library to bind RPC calls based on UUID and OPNUM. The goal of the library is to break specific RPC calls to an antivirus scanner for AMSI bypass.
🎁

Miscellaneous

Ransomware gang Hunters International says it's shutting down (3 minute read)

The Hunters International ransomware gang announced its shutdown on Thursday, offering free decryption keys to its victims. The group operated for two years, targeting organizations including a U.S. cancer center. Security experts suspect that this may be a rebranding effort, with the gang potentially transitioning to "World Leaks" to evade detection by law enforcement.
Uncovering Nytheon AI - A New Platform of Uncensored LLMs (7 minute read)

Threat researchers at Cato CTRL have released a report on an uncensored LLM platform known as Nytheon AI. The operators behind Nytheon trained a suite of gen AI tools by employing jailbreaks on open-source models from Meta and Deepseek. The Nytheon AI suite includes models for code generation, document summarization and translation, OCR, and a control model.
AWS Certificate Manager Has Announced Exportable TLS Certificates, and I'm Mostly Okay With It (4 minute read)

Recently, AWS Certificate Manager (ACM) added the ability to export certificates and private keys for use in EC2 or external applications. Currently, ACM does not implement ACME, so certificate renewals must be handled manually or via the AWS API. Organizations that want to ensure that private keys never leave ACM can disable exports at the AWS Organization level or on an account-by-account basis via SCPs.

Quick Links

New Fake Marketplace From China Mimics Top Retail Brands for Fraud (2 minute read)

A scam originating from China has led to the creation of thousands of fake shopping websites that mimic real stores, stealing payment information from global shoppers, especially during major sales events in Mexico.
North Korean Hackers Drop NimDoor macOS Malware Via Fake Zoom Updates (2 minute read)

North Korean hackers are deploying deceptive Zoom updates to distribute NimDoor malware on macOS and target cryptocurrency firms covertly to steal sensitive data.
Police dismantle investment fraud ring stealing €10 million (2 minute read)

Spanish police dismantled a fake investment scam that defrauded over €10 million from hundreds of victims through false advertisements, fake websites, and call centers claiming to be investment experts.

Love TLDR? Tell your friends and get rewards!

Share your referral link below with friends to get free TLDR swag!
https://refer.tldr.tech/f6edfa6a/8
Track your referrals here.

Want to advertise in TLDR? 📰

If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to advertise with us.

Want to work at TLDR? 💼

Apply here or send a friend's resume to jobs@tldr.tech and get $1k if we hire them!

If you have any comments or feedback, just respond to this email!

Thanks for reading,
Prasanna Gautam, Eric Fernandez & Sammy Tbeile


Manage your subscriptions to our other newsletters on tech, startups, and programming. Or if TLDR Information Security isn't for you, please unsubscribe.