May 18's Top Cyber News NOW! - Ep 1134

At a glance

Eight critical vulnerabilities hit the news in a single day: Grafana's GitHub token breach, Microsoft Azure privilege escalation quietly patched, WordPress funnel builder actively exploited, Cisco SD-WAN zero-day under federal emergency directive, Microsoft Exchange Server zero-day in the wild, NGINX 18-year-old vulnerability discovered by AI, and CISA preparing critical infrastructure for potential long-term network isolation. The NGINX discovery signals an emerging wave of legacy code vulnerabilities being uncovered by AI systems.

Stories covered

Does Grafana's GitHub token breach expose production secrets?

What happened: An attacker obtained a compromised GitHub token and gained unauthorized access to Grafana's GitHub environment, downloading portions of source code and later attempting extortion. The company revoked the token, rotated credentials, and confirmed the breach did not impact customer systems, hosted services, or personal data.

Why it matters: This highlights both the ongoing risk of leaked developer credentials and the shift in attacker focus toward software supply chain environments. GitHub repos, whether private or public, are increasingly high-value targets—and many organizations lack visibility into unauthorized access to these cloud-based repositories.

What to do: Implement strict GitHub token management: use short-lived tokens, rotate credentials regularly, and enforce multi-factor authentication on developer accounts. Ensure you can audit GitHub access logs. For GRC teams, explicitly communicate what was not compromised in breach disclosures; vague statements create unnecessary panic and customer churn.

Why did Microsoft reject then quietly fix an Azure Kubernetes privilege escalation?

What happened: A security researcher reported a critical privilege escalation flaw in Azure Kubernetes Service that allowed users with low-level backup contributor permissions to escalate to cluster admin. Microsoft initially rejected the report, claiming the behavior was "expected" and not a vulnerability. After public disclosure, the vulnerability was silently patched.

Why it matters: When vendors dismiss legitimate findings without paying researchers, you disincentivize future vulnerability research. This also sets a dangerous precedent: attackers will find these bugs anyway if defenders don't. The inconsistency makes it harder for organizations to properly assess and prioritize risk in cloud environments.

What to do: If you discover a vulnerability in Microsoft or any vendor platform, document it thoroughly and escalate through official channels. The CVE/CERT coordination process exists for this reason. Do not accept dismissals at face value—independent researchers and coordinated disclosure programs are a critical line of defense.

Is WordPress funnel builder actively exploiting your checkout pages?

What happened: A critical vulnerability in the WordPress funnel builder plugin affecting 40,000+ websites is being actively exploited to inject malicious Google Tag Manager scripts into WooCommerce checkout pages, stealing customer payment card data. Developers released version 3.15.0.3 to patch the flaw.

Why it matters: Active exploitation means attackers are moving fast. If you run WordPress with these plugins, you are likely already compromised if unpatched. This is straightforward skimming: attackers steal full card numbers, expiration dates, and CVV codes at the point of transaction.

What to do: Immediately audit your environment for the funnel builder and WooCommerce plugins. If present, upgrade to version 3.15.0.3 or later today. Then inspect checkout pages for unauthorized scripts or GTM configurations. Run transaction logs backward to check for evidence of prior exploitation and card compromise. Alert payment card processors if you find evidence of fraud.

Should you patch Cisco SD-WAN immediately under federal emergency directive?

What happened: CISA issued an emergency directive requiring US federal civilian agencies to immediately patch a critical unauthenticated remote access vulnerability in Cisco Catalyst SD-WAN. The flaw allows attackers to gain elevated access and has been actively exploited. A patch was released May 14th, 2026.

Why it matters: SD-WAN is enterprise-grade infrastructure that creates a unified control plane across all sites and facilities. Compromise here means compromise of your entire network backbone. Federal agencies don't move fast—the fact they're being given 72 hours signals this is trivial to exploit and likely nation-state actors are already targeting it wholesale.

What to do: If you run Cisco SD-WAN, treat this as a weekend emergency. Coordinate immediately with your networking team to patch all affected instances. This is not optional. If you cannot patch immediately, implement network segmentation to isolate SD-WAN controllers and limit access to trusted administrative networks only.

What's the latest on Microsoft Exchange Server zero-day under active attack?

What happened: Microsoft disclosed a spoofing and cross-site scripting zero-day (CVE withheld in initial notices) affecting Exchange Server subscription edition, 2016, and 2019, already being exploited in the wild. The flaw affects Outlook Web Access (OWA). No permanent patch is available; only mitigations are offered.

Why it matters: Exchange on-premises remains a critical attack surface despite years of zero-days. If you're still running it, you're managing persistent vulnerability risk. This vulnerability surfaces only days after Microsoft's May patch Tuesday, which contained zero reported zero-days—itself unusual.

What to do: Apply all available mitigations immediately. If you can migrate to Exchange Online, begin that project now. If you must run Exchange on-premises, establish a dedicated incident response phone tree and rehearse recovery procedures. Monitor the CISA KEV catalog for Exchange Server; two dozen flaws already exist there.

How did researchers find an 18-year-old NGINX vulnerability using AI?

What happened: Security researchers discovered an 18-year-old vulnerability in NGINX, the world's most widely deployed web server, using an autonomous AI-driven scanning system. The flaw can lead to denial of service and possibly remote code execution under certain conditions.

Why it matters: This signals the beginning of a much larger problem: AI systems will rapidly uncover decades of latent vulnerabilities in legacy code that humans missed. The window between now and when we write secure code with AI is a "perfect storm" period. Organizations have not had time to inventory all their software, let alone patch or replace it.

What to do: Conduct a comprehensive software asset inventory immediately—identify every piece of open-source and third-party software in your environment, version numbers, deployment count, and criticality. Establish relationships with engineering and business teams now to prepare for rapid patching cycles. Expect a deluge of vulnerability disclosures over the next 6-12 months as AI systems systematically scan legacy codebases.

Is CISA preparing critical infrastructure for long-term network isolation?

What happened: CISA is advising critical infrastructure operators to prepare for weeks or months of operating independently from IT systems and external networks. The agency plans targeted resilience assessments focused on ensuring utilities can continue essential services while disconnected, driven by concerns over Chinese state-linked groups like Salt Typhoon and Vault Typhoon.

Why it matters: This guidance signals acceptance that current defensive measures are insufficient against nation-state operators. The recommendation to "unplug it" is a tacit admission that hardening OT/ICS integration has failed. For water, energy, and communications sectors, this means rehearsing manual-only operations—a massive disruption to modern infrastructure.

What to do: If you operate critical infrastructure, begin tabletop exercises for manual operations without IT access. Document all critical manual procedures, train staff on analog backups, and test communication systems that do not rely on internet connectivity. Establish clear decision trees for when to isolate OT systems. This is not optional guidance.

Key takeaways

• AI-driven vulnerability scanning will systematically uncover decades of latent bugs in legacy code over the next 6-12 months; prepare your inventory and patching processes now.
• Active exploitation of WordPress funnel builder and Cisco SD-WAN requires immediate action; these are not theoretical risks.
• When vendors reject legitimate vulnerability reports (like Microsoft did with Azure), the security research community loses incentive to report; this benefits attackers.
• GitHub token compromise is now a common attack vector against software supply chains; implement short-lived tokens and strict access controls.
• Critical infrastructure should begin now preparing for long-term network isolation scenarios; the era of "always connected" OT is ending in threat modeling.

Topics covered

Show notes generated from the live transcript using AI on Mon, 18 May 2026 17:18:26 GMT. Errors? Open the YouTube replay for the source of truth.