Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
30APR

KB5091157, Gentlemen C2 intel, ENISA CNAs: in brief

3 min read
08:16UTC

Microsoft's 19 April emergency KB5091157 fixed LSASS reboot loops on PAM domain controllers. Separately, Check Point Research turned a Gentlemen ransomware SystemBC C2 server into victim intelligence on 1,570 targets, and ENISA onboarded four new CVE Numbering Authorities under ENISA Root on 6 May.

TechnologyDeveloping
Key takeaway

Gentlemen ransomware has five times more victims than self-reported; ENISA expands EU CVE governance ahead of CRA.

Microsoft issued out-of-band emergency patch KB5091157 on 19 April for Windows Server 2016 through 2025, fixing Local Security Authority Subsystem Service (LSASS) reboot loops on Privileged Access Management (PAM)-enabled domain controllers.1 PAM governs administrator credentials on corporate networks; unexpected reboots on PAM controllers disrupt credential-gating availability in high-security estates, which is a separate risk class from the vulnerability exploitation covered elsewhere in this briefing.

Check Point Research gained access to a SystemBC command-and-control server operated by The Gentlemen ransomware group and found it holding records on 1,570 victims, roughly five times the 320 the group has posted publicly on its leak site.2 The discrepancy matters for insurance and regulatory breach-exposure assessments: public leak-site counts are self-reported by the operator and consistently undercount true victim scope. The real count is visible only when a C2 server is compromised or seized.

DragonForce ransomware has been confirmed using SimpleHelp RMM (Remote Monitoring and Management) flaws CVE-2024-57726 and CVE-2024-57728 as initial access vectors, according to research by Arctic Wolf.3 NHS Digital advisory CC-4623 from 2025 on SimpleHelp exploitation remains applicable. The SimpleHelp entry also appears on the week's KEV additions alongside the CVEs covered in the main briefing.

Palo Alto Networks acquired AI-gateway firm Portkey for an estimated $130 million in April. April cyber M&A ran to 33 deals, down from 38 in March , reflecting a modest deceleration in the sector consolidation pace that the Google/Wiz transaction anchors.4

European Union Agency for Cybersecurity (ENISA) onboarded four new CVE Numbering Authorities (CNAs) under its own ENISA Root on 6 May, advancing the EU's independent vulnerability disclosure governance ahead of Cyber Resilience Act (CRA) reporting obligations from September 2026 .5 The EU is incrementally reducing its dependence on US CVE programme infrastructure for vulnerability numbering across European product vendors.

Deep Analysis

In plain English

This section covers five smaller developments from the same week. Microsoft released an emergency patch on 19 April for a problem affecting Windows Server domain controllers, the servers that manage user accounts and passwords in large organisations. The problem caused these servers to restart repeatedly in environments using a specific security feature called Privileged Access Management. Check Point Research, a security firm, gained access to a server used by a ransomware group called The Gentlemen to manage its attacks. From that server they were able to identify 1,570 victims, information they shared with authorities. DragonForce, a ransomware group, confirmed using known flaws in a remote-access tool called SimpleHelp to break into organisations. Those flaws were publicly known since early 2024. Palo Alto Networks, a large cybersecurity company, bought an AI security startup called Portkey for around $130 million. Europe's cybersecurity agency ENISA added four new organisations to its network of bodies authorised to officially assign tracking numbers to newly discovered security flaws, reducing European dependence on US processes.

Deep Analysis
Root Causes

The DragonForce confirmation that SimpleHelp RMM flaws CVE-2024-57726 and CVE-2024-57728 served as initial access reflects a recurring structural issue in the remote monitoring and management market: RMM tools are designed to have privileged access to managed endpoints by default, which makes them structurally high-value targets.

The SimpleHelp vulnerabilities were publicly disclosed in January 2024; DragonForce's confirmed use in 2026 indicates a two-year exploitation window for organisations that did not patch.

The Portkey acquisition by Palo Alto Networks for approximately $130 million reflects a consolidation dynamic in the AI-gateway market: as enterprises build more workflows that route prompts through AI APIs, the security of that routing layer has become a procurement concern. Palo Alto's acquisition signals that AI-gateway security is now treated as a perimeter control, not an application feature.

ENISA's onboarding of four new CNAs (CVE Numbering Authorities) under ENISA Root on 6 May reflects the EU's sustained effort to reduce dependence on MITRE's US-based CVE allocation process. Each European CNA reduces the number of European vulnerability disclosures that route through a US institution.

What could happen next?
  • Risk

    Organisations using PAM-enabled domain controllers that applied KB5091157 should validate domain controller stability and confirm no follow-on interaction bugs exist before treating the patch as a complete resolution.

    Immediate · 0.75
  • Consequence

    Check Point's C2-infiltration technique on The Gentlemen's SystemBC server demonstrates that victim intelligence obtained through counter-operations exceeds what law enforcement takedown notices produce, adding a tactical argument for offensive-defensive blended approaches in ransomware disruption.

    Short term · 0.7
  • Opportunity

    ENISA's expansion of the European CNA network under ENISA Root reduces single-point-of-failure risk in EU vulnerability disclosure pipelines and builds institutional memory for European CVE governance independent of MITRE.

    Medium term · 0.8
First Reported In

Update #3 · CISA's deadline outruns Palo Alto's patch

BleepingComputer· 8 May 2026
Read original
Causes and effects
This Event
KB5091157, Gentlemen C2 intel, ENISA CNAs: in brief
A cluster of reinforcing developments: an emergency domain-controller patch, a C2 compromise revealing a ransomware group's true victim count at five times its self-reported figure, and EU CVE governance expanding ahead of Cyber Resilience Act obligations.
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.