Grafan GitHub extortion, Microsoft rejects Azure report, Funnel Builder flaw - Cybersecurity Headlines

Summary5 min read

Cybersecurity Headlines – Episode Summary

Date: May 18, 2026
Host: Steve Prentiss, CISO Series
Theme: Key Cybersecurity Events and Trends—Daily Security News Roundup

Episode Overview

This episode delivers rapid-fire coverage of the most pressing cybersecurity news as of May 18, 2026. Host Steve Prentiss discusses incidents ranging from source code extortion and cloud platform vulnerabilities, to plugin flaws actively exploited in the wild, and new government directives in response to critical bugs. Throughout, the episode stresses the growing sophistication of both attackers and defenders, emerging risks in software supply chains, and the need for rapid response and resilience in enterprise environments.

Major Discussion Points & Insights

Grafana GitHub Token Breach and Extortion Attempt

[00:07 – 01:09]

Grafana Labs confirmed unauthorized access to part of its GitHub environment via a compromised token.
The attacker downloaded portions of source code and later attempted to extort the company.
Grafana asserted no impact to customer systems or personal data, and that production secrets were not exposed.
Company actions: Revoked the exposed token, rotated credentials, and began an internal investigation.

"The incident highlights the ongoing risk posed by leaked developer credentials and the growing focus cybercriminals are placing on software supply chain environments and source code repositories." – Steve Prentiss [01:00]

Microsoft vs. Security Researcher – Azure Backup Vulnerability Dispute

[01:10 – 02:02]

A researcher claims Microsoft quietly fixed a serious Azure Backup for Kubernetes vulnerability after refusing to acknowledge it as a security flaw or assign a CVE.
The bug allegedly let users with backup permissions escalate their privileges in Azure Kubernetes Service.
Despite apparent remediation, Microsoft maintained the activity was expected and not a vulnerability.
This sparked criticism over inconsistent disclosure and classification.

"... inconsistent disclosure and classification practices can make it harder for organizations to properly assess risk and prioritize defensive measures in cloud environments." – Steve Prentiss [01:45]

Funnel Builder WordPress Plugin Actively Exploited

[02:03 – 02:45]

Critical flaw in the Funnel Builder plugin allows attackers to inject malicious code into WooCommerce checkout pages.
Over 40,000 WordPress sites at risk, as attackers insert fake Google Tag Manager scripts to steal customer credit card data.
Developers released version 3.15.0.3 to address the issue; urgent updates and inspection of checkout pages recommended.

"Attackers are moving quickly to exploit unpatched systems, making immediate updates essential." – Steve Prentiss [02:30]

CISA Emergency Directive – Cisco SD-WAN Vulnerability

[02:46 – 03:35]

US CISA (Cybersecurity and Infrastructure Security Agency) ordered federal agencies to immediately patch a critical Cisco Catalyst SD-WAN vulnerability.
The flaw grants unauthenticated remote attackers elevated system access; already exploited in the wild.
Cisco has issued patches; agencies face tight deadlines, underscoring the urgency of protecting SD-WAN infrastructure.

"The vulnerability represents a serious risk to organizations relying on SD WAN infrastructure. Federal agencies were given a tight remediation deadline under an emergency directive." – Steve Prentiss [03:20]

Microsoft Exchange Server Zero-Day Under Active Attack

[04:07 – 04:40]

Microsoft warns of a newly exploited Exchange Server zero-day impacting multiple Exchange versions.
The bug enables spoofing and cross-site scripting, threatening enterprise email environments.
The vulnerability was discovered just after May’s Patch Tuesday, which had no zero-days at release.

"Researchers say the spoofing and cross-site scripting issue could allow attackers to compromise enterprise email environments." – Steve Prentiss [04:35]

Pwn2Own Berlin 2026: Hundreds of Thousands Awarded for Zero-Days

[04:41 – 05:09]

At Pwn2Own Berlin, researchers showcased 24 zero-day exploits against technologies like Windows 11 and Microsoft Edge.
Over $523,000 in awards; demonstrations included privilege escalation, sandbox escape, and remote code execution.

"The event showcased how rapidly attackers and researchers alike are discovering vulnerabilities in modern operating systems and browsers." – Steve Prentiss [05:00]

Discovery of 18-Year-Old NGINX Vulnerability

[05:10 – 05:50]

Researchers found an 18-year-old vulnerability in the popular NGINX web server, enabled by AI-driven legacy code analysis.
The flaw can cause denial-of-service and, in rare cases, possible remote code execution.
Potential widespread impact, given NGINX’s prevalence in global web infrastructure.

"Older, widely trusted infrastructure software may still contain exploitable bugs that had escaped earlier scrutiny." – Steve Prentiss [05:40]

CISA Urges Critical Infrastructure to Prepare for Disconnection

[05:51 – 06:53]

CISA is advising critical infrastructure operators to be ready to function independently from IT systems and third-party vendors for extended periods during major cyber crises.
Motivation stems from concerns over persistent threats by state-linked actors (e.g., Salt Typhoon, Vault Typhoon).
CISA will conduct resilience assessments and recommends practicing manual recovery procedures.

"... organizations should strengthen operational technology resilience and rehearse manual recovery procedures, reflecting growing fears that future cyber conflicts may deliberately target interconnected infrastructure dependencies." – Steve Prentiss [06:45]

Memorable Quotes & Moments

"The incident highlights the ongoing risk posed by leaked developer credentials..." – [01:00]
"...inconsistent disclosure and classification practices can make it harder for organizations to properly assess risk..." – [01:45]
"Attackers are moving quickly to exploit unpatched systems, making immediate updates essential." – [02:30]
"The vulnerability represents a serious risk to organizations relying on SD WAN infrastructure..." – [03:20]
"Older, widely trusted infrastructure software may still contain exploitable bugs that had escaped earlier scrutiny." – [05:40]
"...strengthen operational technology resilience and rehearse manual recovery procedures..." – [06:45]

Quick Reference: Important Timestamps

Grafana Extortion & Token Breach: [00:07 – 01:09]
Azure Backup/Kubernetes Dispute: [01:10 – 02:02]
WordPress Funnel Builder Flaw: [02:03 – 02:45]
Cisco SD-WAN Bug & Federal Directive: [02:46 – 03:35]
Exchange Server Zero-Day: [04:07 – 04:40]
Pwn2Own Berlin Exploits: [04:41 – 05:09]
NGINX Legacy Vulnerability: [05:10 – 05:50]
CISA on Critical Infrastructure: [05:51 – 06:53]

For further reading and details on each headline, visit CISOseries.com.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series. It's Cybersecurity Headlines
[00:07]
B
these are the cybersecurity headlines for Monday, May 18, 2026. I'm Steve Prentiss. Grafana GitHub token breach leads to extortion attempt Grafana Labs has disclosed that an attacker gained unauthorized access to part of the company's GitHub environment after obtaining a compromised GitHub token. According to the company, the intruder downloaded portions of Grafana's source code and later attempted to extort the company. Grafana emphasized that the breach did not impact customers systems, hosted services, or personal data, and that the stolen code did not contain production secrets. The company quickly revoked the exposed token, rotated credentials, and launched an internal investigation. The incident highlights the ongoing risk posed by leaked developer credentials and the growing focus cybercriminals are placing on software supply chain environments and source code repositories. Microsoft rejects Azure vulnerability report and researcher disputes the decision A security researcher is accusing Microsoft of quietly fixing a serious Azure Backup for Kubernetes vulnerability after initially rejecting the report and declining to issue a CVE identifier. The researcher claimed the flaw could have allowed users with low level backup permissions to gain broader access within Azure Kubernetes service environments. Microsoft reportedly maintained that the behavior was expected and not a security vulnerability, despite evidence that changes were later made to the platform. The situation has sparked criticism from parts of the security community who argue that inconsistent disclosure and classification practices can make it harder for organizations to properly assess risk and prioritize defensive measures in cloud environments. Funnel Builder flaw actively exploited to steal payment data Researchers are warning that a critical Vulnerability in the WordPress Funnel Builder plugin is being actively exploited to inject malicious payment skimming code into WooCommerce checkout pages. The flaw affects more than 40,000 websites using the plugin and allows attackers to insert fake Google Tag manager scripts that steal customer credit card information during checkout. Security experts say attackers are moving quickly to exploit unpatched systems, making immediate updates essential. Developers have released version 3.15.0.3 to address the issue, and administrators are being urged to inspect checkout pages for unauthorized scripts. CISA orders federal agencies to patch Cisco SD WAN bug immediately CISA has ordered all US Federal civilian agencies to immediately patch the critical Cisco Catalyst SD1 vulnerability that is already being actively exploited. The flaw allows unauthenticated remote attackers to gain elevated access to affected systems and has been added to the kev. Cisco has released patches and has warned that the vulnerability represents a serious risk to organizations relying on SD WAN infrastructure Federal agencies were given a tight remediation deadline under an emergency directive, reflecting concern that attackers could use the flaw to gain persistent access into government networks. Huge thanks to our sponsor ThreatLocker. ThreatLocker is extending zero trust beyond endpoint control with their recent release of zero trust network access and Zero Trust Cloud access. Access isn't based on credentials alone. It requires the right user, the right device and the right conditions because, as we've seen in recent large scale CRM breaches, stolen credentials and misconfigurations can expose massive amounts of data. With ThreatLocker, nothing is exposed and access is limited to exactly what's needed. Learn more and start your free trial today@threatlocker.com CISO Microsoft warns of Exchange server zero day under active attack Microsoft is warning organizations to immediately apply mitigations for a newly disclosed Exchange Server Zero day that is already being exploited in the wild. The CVE numbered flaw affects Exchange Server Subscription Edition along with exchange 2016 and 2019. Researchers say the spoofing and cross site scripting issue could allow attackers to compromise enterprise email environments. The vulnerability surfaced only days after Microsoft's May patch Tuesday updates, which notably contained no reported zero days at release time. PWN to own Berlin hackers exploit Windows 11 and Edge at the opening day of the PWN to Own Berlin 2026 competition, security researchers earned more than $523,000 after successfully demonstrating 24 unique zero day exploits against widely used technologies including Windows 11 and Microsoft Edge. The event showcased how rapidly attackers and researchers alike are discovering vulnerabilities in modern operating systems and browsers. Several exploits targeted privilege escalation and sandbox escapes, while others demonstrated remote code execution. Researchers discover 18 year old NGINX vulnerability the researchers made the discovery in the popular open source web server nginx that can lead to denial of service attacks and under certain conditions, possible remote code execution. The flaw was reportedly identified using an autonomous AI driven scanning system capable of analyzing legacy code for hidden weaknesses. Researchers say the discovery demonstrates how older, widely trusted infrastructure software may still contain exploitable bugs that had escaped earlier scrutiny. Nginx remains one of the world's most commonly deployed web servers, meaning any serious vulnerability has potentially massive downstream impact across cloud services, websites and enterprise applications. CISA urges critical infrastructure to prepare for long term isolation the agency is advising infrastructure operators to prepare for the possibility of operating independently from IT systems and third party vendors for weeks or even months during a major cyber conflict. The guidance is driven largely by concern over persistent threats from Chinese state linked groups such as Salt Typhoon and Vault Typhoon. CISA plans to conduct targeted resilience assessments focused on ensuring utilities and infrastructure operators can continue delivering essential services even if disconnected from external networks. The agency says organizations should strengthen operational technology resilience and rehearse manual recovery procedures, reflecting growing fears that future cyber conflicts may deliberately target interconnected infrastructure dependencies. If you have some thoughts on the news from today or about this show in general, please be sure to reach out to us@feedbackisoseries.com we would love to hear from you. I'm Steve Prentiss reporting for the CISO series.
[07:36]
A
Cybersecurity headlines are available every weekday. Head to CISoseries.com for the full stories behind the headlines.