Summary5 min read

Cybersecurity Headlines: Cisco’s 10.0 Vulnerability, Microsoft Email Spam, Chrome Vulnerability Surge

Date: May 22, 2026
Host: Steve Prentiss, CISO Series

Overview

This episode of the daily Cybersecurity Headlines podcast focuses on recent critical vulnerabilities, threat landscape changes, and security industry developments—from Cisco’s 10.0-rated flaw to Microsoft email abuse, Google Chrome’s vulnerability surge, major law enforcement actions, new malware campaigns, and regulatory news.

Key Discussion Points and Insights

1. Cisco Secure Workload Critical Vulnerability

Details: Cisco announced a major flaw (CVSS 10.0) in its Secure Workload cluster software, affecting both SaaS and on-premises environments. The vulnerability stems from weak validation and authentication in internal REST API endpoints, allowing unauthenticated attackers to gain site admin privileges by sending crafted API requests.
- Significance: Entirely remote, credential-free exploitation requiring “no user interaction, or any significant effort.”
- Action: Cisco released patches on May 21, 2026, recommending immediate update.
Notable Quote:
- “This means attackers don’t require credentials, user interaction, or any significant effort to exploit the bug.” (Steve Prentiss, 00:43)
Timestamps: [00:07–01:10]

2. Microsoft Notification Email Abused for Spam

Details: Attackers exploited a loophole in Microsoft Online to send spam emails from a legitimate notification address, typically reserved for MFA codes and critical alerts.
- Sender: msonline@servicesteamicrosoftonline.com
- Impact: Emails appeared authentic, enhancing phishing effectiveness.
- Microsoft Response: Provided no substantive comment or status update when contacted.
Notable Quote:
- “Scammers have been able to set up new Microsoft accounts as if they were new customers and use that access to send out emails purportedly from the tech giant itself.” (Steve Prentiss, 01:23)
Timestamps: [01:11–02:08]

3. Surge in Google Chrome Vulnerability Announcements

Details: Google published 100 vulnerabilities in its May 5 Chrome security advisory, up from 16 in April 15th’s update and 21 on April 28th. Over 70 of these were found internally.
- Possible Factors: Increase in the use of tools—potentially AI-powered—mirroring a broader industry trend noted at Mozilla and elsewhere.
- Security Implications: Rapid discovery and patching cycles essential for browser security.
Notable Quote:
- “Google has not clarified if the surge correlates to any use of AI, but they would be joining many other organizations... that have also reported surges in vulnerability discovery thanks to the use of internal or third party tools, including Claude’s Mythos.” (Steve Prentiss, 02:30)
Timestamps: [02:09–03:05]

4. Police Takedown of “1st VPN” Cybercrime Service

Details: An international task force led by France and the Netherlands dismantled a VPN service (“1st VPN”) heavily promoted on cybercrime forums as a privacy-oriented, no-log VPN. Actions included seizure of servers in 27 countries, the administrator’s arrest, and a Ukraine house search.
- Significance: Illustrates law enforcement’s increasing focus on cyber infrastructure aiding crime.
Notable Quote:
- “The VPN service had been… advertised on various cybercrime forums as a privacy-focused VPN that does not log user data and ignores law enforcement requests…” (Steve Prentiss, 03:20)
Timestamps: [03:06–03:53]

5. New Linux & Windows Malware Targeting Telecoms (Calypso Group)

Details: Security researchers uncovered Showboat (Linux) and JFM BackDoor (Windows), used since mid-2022 by the Calypso Threat Group (a.k.a. Red Lamassu, China-affiliated).
- Capabilities: File upload/download, process hiding, persistent service creation.
- Pattern: Tooling shared among multiple China-aligned threat actors, each targeting different geographic regions.
Notable Quote:
- “Researchers… conclude that the tooling is likely shared across multiple China Al threat groups, each targeting different regions and using the same malware ecosystem.” (Steve Prentiss, 05:05)
Timestamps: [04:39–05:36]

6. Discord Adds End-to-End Encryption to Calls

Details: Discord introduced end-to-end encryption by default for all voice and video calls (except Stage channels—meant for broadcasts), using its new lightweight “Dave” protocol.
- Contrast: Meta removed encryption from Instagram DMs; TikTok confirmed it won’t add E2EE to DMs.
- Security Context: Major improvement for user privacy and communication security.
Notable Quote:
- “Discord started using its Dave encryption protocol… with minimal latency.” (Steve Prentiss, 05:39)
Timestamps: [05:37–06:15]

7. UK Cybercrime Law Reform Draws Criticism

Details: Experts warn the UK government’s proposed overhaul of the Computer Misuse Act offers “such narrow legal protections that most security researchers would be left in the same position as today.”
- Goal: Protect researchers scanning internet-facing systems.
- Issue: Safeguards seen as too limited; full details linked in show notes.
Notable Quote:
- “The British government’s plans… would offer such narrow legal protections that most security researchers would be left in the same position as today...” (Steve Prentiss, 06:27)
Timestamps: [06:16–06:58]

8. Flipper One: New Pocket Cybersecurity Toolkit

Details: Flipper Devices announced Flipper One, an open Linux-based pocket computer for cybersecurity pros and electronics hobbyists.
- Specs: Strong RockChip CPU, secondary RP2040 chip for low-level hardware handling.
- Advantage: Portable, powerful toolkit—successor to the popular Flipper Zero.
Notable Quote:
- “The Flipper One is an open Linux pocket computer… for cybersecurity research, electronics experimentation, networking and hardware tinkering.” (Steve Prentiss, 07:13)
Timestamps: [06:59–07:48]

Notable Quotes & Memorable Moments

“This means attackers don’t require credentials, user interaction, or any significant effort to exploit the bug.” (Steve Prentiss, 00:43)
“Scammers have been able to… send out emails purportedly from the tech giant itself.” (Steve Prentiss, 01:23)
“Google has not clarified if the surge correlates to any use of AI…” (Steve Prentiss, 02:30)
“The VPN service had been… advertised on various cybercrime forums as a privacy focused VPN…” (Steve Prentiss, 03:20)
“Researchers at Lumen’s Black Lotus Labs conclude that the tooling is likely shared across multiple China Al threat groups, each targeting different regions…” (Steve Prentiss, 05:05)
“Discord started using its Dave encryption protocol… with minimal latency.” (Steve Prentiss, 05:39)
“The British government’s plans… would offer such narrow legal protections…” (Steve Prentiss, 06:27)
“The Flipper One… will likely be of greatest interest to cybersecurity professionals who want a portable toolkit as well as electronics hobbyists and Linux enthusiasts.” (Steve Prentiss, 07:31)

Important Timestamps

Cisco Vulnerability: 00:07–01:10
Microsoft Email Loophole: 01:11–02:08
Chrome Vulnerability Surge: 02:09–03:05
First VPN Takedown: 03:06–03:53
Chinese Malware: 04:39–05:36
Discord E2EE: 05:37–06:15
UK Law Reform: 06:16–06:58
Flipper One: 06:59–07:48

Conclusion

This episode spotlights an urgent Cisco flaw, the dangers of abused trusted email addresses, browser security trends, major cybercrime crackdowns, emerging global threats, and evolving tools and regulatory frameworks. For daily, actionable cyber news, listeners are encouraged to subscribe and tune in to the CISO Series.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines
[00:07]
B
these are the cybersecurity headlines for Friday, May 22, 2026. I'm Steve Prentiss. Cisco issues 10.0 rated secure workload Admin Flaw Warning Cisco has announced the existence of a vulnerability with a CVSS score of 10.0, which can enable unauthenticated attackers to gain site admin privileges in its Cisco Secure Workload cluster software in both SaaS and on prem environments. This by sending crafted API requests to vulnerable systems. The CVE numbered vulnerability comes down to weak validation and authentication checks in internal REST API endpoints, end quote. This means attackers don't require credentials, user interaction, or any significant effort to exploit the bug. Cisco released patches for this critical vulnerability yesterday. Thursday Spammers abuse internal Microsoft Online account A loophole in an internal Microsoft system has been allowing the distribution of spam emails from an email address typically used for sending legitimate account alerts. Scammers have been able to set up new Microsoft accounts as if they were new customers and use that access to send out emails purportedly from the tech giant itself. The emails are sent from msonline servicesteamicrosoftonline.com which is an email account that Microsoft uses to send important notifications to users such as Two Factor Authentication codes and other critical alerts about their online account. When contacted by TechCrunch earlier this week, a Microsoft spokesperson acknowledged the inquiry but did not comment or say if the company had stopped the abuse of this notification email. Google sees surge in Chrome vulnerability Announcements A comparison of Chrome security advisories published by Google shows quite an increase from 16 for the Chrome update released on April 15 to 21 for the update issued on April 28, and then 100 in the advisory published on May 5. More than 70 of these vulnerabilities patched were found internally by the tech company. Google has not clarified if the surge correlates to any use of AI, but they would be joining many other organizations such as Mozilla, that have also reported surges in vulnerability discovery thanks to the use of internal or third party tools, including Claude's Mythos Police first VPN service used in cyber attacks. The takedown was the result of a joint international law enforcement operation led by French and Dutch authorities and which was the result of an investigation that started in 2021. The forces seized dozens of first VPN servers located in 27 countries, arrested the administrator and conducted a house search in Ukraine. The VPN service had been, quote, advertised on various cybercrime forums as a privacy focused VPN that does not log user data and ignores law enforcement requests for user information. End quote. Huge thanks to our sponsor ThreatLocke. ThreatLocker is extending zero trust beyond endpoint control with their recent release of zero trust network access and Zero Trust Cloud Access. Access isn't based on credentials alone. It requires the right user, the right device and the right conditions. Because as we have seen in recent large scale CRM breaches, stolen credentials and misconfigurations can expose massive amounts of data. With ThreatLocker, nothing is exposed and access is limited to exactly what is needed. Learn more and start your free trial today@threatlocker.com CISO Chinese hackers target telcos with new Linux and Windows malware Two newly discovered applications, a Linux malware called Showboat and a Windows malware called JFM BackDoor, have been active since at least mid-2022 and are targeting organizations across the Asia Pacific and parts of the Middle East. It has been attributed to the Calypso Threat Group, also tracked as Red lamassu. The malware can upload or download files, hide its own process and establish persistence via a new service. Researchers at Lumen's Black Lotus Labs conclude that the tooling is likely shared across multiple China Al threat groups, each targeting different regions and using the same malware ecosystem. Discord adds end to end encryption to voice and video calls by default without any major announcement. Discord started using its Dave encryption protocol that is Dave designed to support voice and video calls on PCs, phones, consoles and browsers with minimal latency. This goes in stark contrast to Meta, which removed its end to end encryption from Instagram's direct messaging feature as well as TikTok that confirmed it would not be adding end to end encryption to direct messages. Monday's change simply makes encryption the default for everyone, with the exception of its Stage channels, which are designed for broadcast style communication. UK Cybercrime law reform would protect almost no one, says experts, According to recorded future news, the British government's plans to overhaul the country's main cybercrime law would offer such narrow legal protections that most security researchers would be left in the same position as today, end quote. As we reported last week, plans to amend the Computer Misuse act of 1990 were announced in the King's Speech with the goal of modernizing cybersecurity law. The updated law was intended to protect researchers from conviction in court as long as they meet certain safeguards. But sources say those safeguards are extremely limited to cases where researchers are being prosecuted for scanning Internet facing systems. A link to the full breakdown of the proposed law is available in the show Notes to this episode move over flipper 0 flipper 1 is in town the flipper 1 is an open Linux pocket computer from Flipper Devices, the makers of the infamous Flipper Zero multitool device. It is essentially a tiny Linux computer designed for cybersecurity research, electronics experimentation, networking and hardware tinkering. Whereas the Flipper Zero was built around a microcontroller, the Flipper One reportedly uses a much stronger RockChip processor plus a secondary Raspberry PI style RP2040 chip for lower level hardware handling, and will likely be of greatest interest to cybersecurity professionals who want a portable toolkit as well as electronics hobbyists and Linux enthusiasts. Remember to join us later today at 4pm for our department of no Livestream. This week we're joined by Mike Lockhart, CISO at Eagle View, and Kathleen Mullen, the former CISO@MyCargorithm. And we'll be digging into how the news of the week applies to your security teams, what stories are more noise than signal, and having some fun with our live chat. Be sure you're subscribed to the ciso series on YouTube to catch the stream at 4pm Eastern later today. And if you have some thoughts on the news from today or about this show in general, please be sure to reach out to us@feedbackisoseries.com we would love to hear from you. I'm Steve Prentiss reporting for the CISO series.
[08:23]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.