Home / Episodes / May 22, 2026
Episode show notesMay 22's Top Cyber News NOW! - Ep 1138
At a glance
Cisco patches a critical 10.0 CVSS vulnerability in Secure Workload that allows unauthenticated attackers to gain admin privileges; Microsoft's notification email system is being abused to distribute phishing at scale; Google's Chrome vulnerability discovery has surged to over 100 in a single advisory, likely driven by AI tooling; law enforcement seized FirstVPN infrastructure across 27 countries in a major takedown; and Flipper Devices released the Flipper One, a portable Linux computer for security research and hardware tinkering.
Stories covered
Does Cisco Secure Workload's 10.0 CVSS vulnerability require immediate action?
What happened: Cisco announced a vulnerability (CVE not specified in transcript) with a CVSS score of 10.0 in Secure Workload that allows unauthenticated attackers to gain site admin privileges via malformed API requests to internal REST API endpoints.
Why it matters: The 10.0 score indicates active exploitation in the wild. Vulnerable systems can be compromised without credentials or user interaction, giving attackers immediate admin access to clusters in both SaaS and on-premises environments.
What to do: Immediately assess whether you run Secure Workload and which versions are deployed. Confirm if vulnerable components are enabled. If exposed, patch immediately. If not yet patched, engage your SOC team to add indicators of compromise to your SIEM and hunt for evidence of prior exploitation.
---
Why are threat actors successfully spoofing Microsoft's official notification email address?
What happened: Scammers have exploited a loophole in Microsoft systems to send phishing emails from msonline-services-team@microsoftonline.com—the legitimate address Microsoft uses for account alerts and MFA notifications—without spoofing.
Why it matters: End users have been trained to trust emails from @microsoftonline.com, making this attack vector particularly effective. Phishing remains the leading attack vector, and leveraging trusted domains significantly lowers victim defenses.
What to do: Layer detection controls: enforce MFA to block attackers who steal credentials, deploy conditional access to prevent logins from unexpected geographies, and normalize end-user reporting of suspicious emails without fear of punishment. Educate users that they won't face penalties for admitting phishing mistakes.
---
Is Google's surge in Chrome vulnerability disclosures driven by AI-powered security testing?
What happened: Google's Chrome security advisories jumped from 16 vulnerabilities (April 15) to 21 (April 28) to over 100 (May 5), with more than 70 discovered internally. Google has not confirmed whether AI tooling like Claude or similar systems accelerated discovery.
Why it matters: Expect a sustained increase in vulnerability disclosures across vendors using AI-assisted fuzzing and code analysis. Patch velocity will need to accelerate to keep pace with discovery rates.
What to do: Patch Chrome and all Chromium-based browsers (Edge, Brave, etc.) regularly and aggressively. Prioritize patch deployment in your organization and establish automated patch testing for critical applications. Plan for higher patch volumes going forward.
---
How did French and Dutch law enforcement shut down FirstVPN, a service favored by cybercriminals?
What happened: Joint international operation seized FirstVPN servers across 27 countries, arrested the administrator, and conducted raids in Ukraine. FirstVPN was widely used by ransomware and cybercrime operators and deliberately ignored law enforcement requests for user data.
Why it matters: Law enforcement is disrupting not just threat actors but the tertiary vendors enabling them. Threat actors now lose a trusted anonymization service, forcing them to adapt their infrastructure.
What to do: Monitor for threat actors shifting to alternative VPN services and proxy infrastructure. Update your threat intel feeds to track which VPN and anonymization services are now favored by known threat groups.
---
Are Chinese-attributed Showboat and JFM malware variants a serious threat to your environment?
What happened: Two malware families—Showboat (Linux) and JFM Backdoor (Windows)—attributed to China's Calypso threat group have been active since mid-2022, targeting Asia-Pacific and Middle East organizations. They support file upload/download, process hiding, and persistence.
Why it matters: The malware is sophisticated, but it only executes if initial infection occurs. This is post-compromise tooling, not an initial infection vector. Preventing the first foothold eliminates the threat.
What to do: Focus on preventing initial compromise: educate users against phishing and USB insertion, enforce application allowlisting, and segment networks. Investigate how these malware families enter your environment rather than assuming advanced malware alone is the threat.
---
Why did Discord enable end-to-end encryption for voice and video calls without announcement?
What happened: Discord deployed its DAVE encryption protocol as the default for voice and video calls across PC, phone, console, and browser platforms, with the exception of stage channels designed for broadcast communication.
Why it matters: Privacy improvement with zero friction or user burden—calls work exactly as before but are now encrypted by default. This contrasts with Meta (removing E2E from Instagram DMs) and TikTok (refusing to add E2E).
What to do: Monitor for sensitive business communications moving to Discord. While this is a positive privacy change, ensure your organization has clear policies on what data and communications should not transit through any third-party platform, encrypted or not.
---
Will the UK's Computer Misuse Act reform actually protect security researchers?
What happened: The UK government announced plans to amend the Computer Misuse Act of 1990 to protect researchers, but sources indicate statutory defenses are narrowly limited to researchers prosecuted for scanning internet-facing systems—leaving most security researchers unprotected.
Why it matters: Tools like Shodan are essential to vulnerability research and threat hunting. A narrow legal defense creates chilling effects on legitimate security research and vulnerability disclosure in the UK and internationally.
What to do: If your organization conducts security research in the UK, monitor the final language of the amended Act. Consider engaging with professional organizations advocating for broader statutory protections for researchers before the law is finalized.
---
What is the Flipper One, and should security researchers care?
What happened: Flipper Devices released the Flipper One, a portable Linux pocket computer with a RockChip processor and secondary RP2040 chip designed for cybersecurity research, networking, and hardware tinkering—a different device from the wireless-focused Flipper Zero.
Why it matters: This is an open-source, portable Linux machine designed for security professionals and hobbyists. Active community development and accessibility may drive new research and tool development in hardware hacking and network research.
What to do: Monitor for community tools and exploits developed around the Flipper One. If hardware security testing is part of your practice, consider evaluation once available. Track how threat actors might repurpose the platform for attacks.
Key takeaways
- A 10.0 CVSS score signals active exploitation in the wild—prioritize Cisco Secure Workload patching immediately if you run it.
- Prevent compromises at initial infection; advanced malware like Showboat only executes post-compromise, so hardening first-touch defenses yields higher ROI than analyzing post-compromise tooling.
- AI-driven vulnerability discovery is accelerating across vendors—plan for sustained high patch volumes and automate patch testing and deployment.
- Phishing using trusted domain names remains highly effective; normalize end-user reporting and layer detection controls (MFA, conditional access) rather than relying solely on awareness training.
- Law enforcement is targeting the infrastructure and services enabling cybercrime, not just threat actors themselves; disrupt the supply chain.
Topics covered
Want the live experience? The Daily Cyber Threat Brief airs live every weekday at 5am PT / 8am ET on YouTube. 400+ practitioners join the chat in real time.