8MAY

KB5091157, Gentlemen C2 intel, ENISA CNAs: in brief

3 min read

10:57UTC

Microsoft's 19 April emergency KB5091157 fixed LSASS reboot loops on PAM domain controllers. Separately, Check Point Research turned a Gentlemen ransomware SystemBC C2 server into victim intelligence on 1,570 targets, and ENISA onboarded four new CVE Numbering Authorities under ENISA Root on 6 May.

← Back to CISA's deadline outruns Palo Alto's patch Jump to analysis ↓

TechnologyDeveloping

Key takeaway

Gentlemen ransomware has five times more victims than self-reported; ENISA expands EU CVE governance ahead of CRA.

Microsoft issued out-of-band emergency patch KB5091157 on 19 April for Windows Server 2016 through 2025, fixing Local Security Authority Subsystem Service (LSASS) reboot loops on Privileged Access Management (PAM)-enabled domain controllers.¹ PAM governs administrator credentials on corporate networks; unexpected reboots on PAM controllers disrupt credential-gating availability in high-security estates, which is a separate risk class from the vulnerability exploitation covered elsewhere in this briefing.

Check Point Research gained access to a SystemBC command-and-control server operated by The Gentlemen ransomware group and found it holding records on 1,570 victims, roughly five times the 320 the group has posted publicly on its leak site.² The discrepancy matters for insurance and regulatory breach-exposure assessments: public leak-site counts are self-reported by the operator and consistently undercount true victim scope. The real count is visible only when a C2 server is compromised or seized.

DragonForce ransomware has been confirmed using SimpleHelp RMM (Remote Monitoring and Management) flaws CVE-2024-57726 and CVE-2024-57728 as initial access vectors, according to research by Arctic Wolf.³ NHS Digital advisory CC-4623 from 2025 on SimpleHelp exploitation remains applicable. The SimpleHelp entry also appears on the week's KEV additions alongside the CVEs covered in the main briefing.

Palo Alto Networks acquired AI-gateway firm Portkey for an estimated $130 million in April. April cyber M&A ran to 33 deals, down from 38 in March , reflecting a modest deceleration in the sector consolidation pace that the Google/Wiz transaction anchors.⁴

European Union Agency for Cybersecurity (ENISA) onboarded four new CVE Numbering Authorities (CNAs) under its own ENISA Root on 6 May, advancing the EU's independent vulnerability disclosure governance ahead of Cyber Resilience Act (CRA) reporting obligations from September 2026 .⁵ The EU is incrementally reducing its dependence on US CVE programme infrastructure for vulnerability numbering across European product vendors.

Deep Analysis

In plain English

This section covers five smaller developments from the same week. Microsoft released an emergency patch on 19 April for a problem affecting Windows Server domain controllers, the servers that manage user accounts and passwords in large organisations. The problem caused these servers to restart repeatedly in environments using a specific security feature called Privileged Access Management. Check Point Research, a security firm, gained access to a server used by a ransomware group called The Gentlemen to manage its attacks. From that server they were able to identify 1,570 victims, information they shared with authorities. DragonForce, a ransomware group, confirmed using known flaws in a remote-access tool called SimpleHelp to break into organisations. Those flaws were publicly known since early 2024. Palo Alto Networks, a large cybersecurity company, bought an AI security startup called Portkey for around $130 million. Europe's cybersecurity agency ENISA added four new organisations to its network of bodies authorised to officially assign tracking numbers to newly discovered security flaws, reducing European dependence on US processes.

Deep Analysis

Root Causes

The DragonForce confirmation that SimpleHelp RMM flaws CVE-2024-57726 and CVE-2024-57728 served as initial access reflects a recurring structural issue in the remote monitoring and management market: RMM tools are designed to have privileged access to managed endpoints by default, which makes them structurally high-value targets.

The SimpleHelp vulnerabilities were publicly disclosed in January 2024; DragonForce's confirmed use in 2026 indicates a two-year exploitation window for organisations that did not patch.

The Portkey acquisition by Palo Alto Networks for approximately $130 million reflects a consolidation dynamic in the AI-gateway market: as enterprises build more workflows that route prompts through AI APIs, the security of that routing layer has become a procurement concern. Palo Alto's acquisition signals that AI-gateway security is now treated as a perimeter control, not an application feature.

ENISA's onboarding of four new CNAs (CVE Numbering Authorities) under ENISA Root on 6 May reflects the EU's sustained effort to reduce dependence on MITRE's US-based CVE allocation process. Each European CNA reduces the number of European vulnerability disclosures that route through a US institution.

What could happen next?

Risk
Organisations using PAM-enabled domain controllers that applied KB5091157 should validate domain controller stability and confirm no follow-on interaction bugs exist before treating the patch as a complete resolution.
Immediate · 0.75
Consequence
Check Point's C2-infiltration technique on The Gentlemen's SystemBC server demonstrates that victim intelligence obtained through counter-operations exceeds what law enforcement takedown notices produce, adding a tactical argument for offensive-defensive blended approaches in ransomware disruption.
Short term · 0.7
Opportunity
ENISA's expansion of the European CNA network under ENISA Root reduces single-point-of-failure risk in EU vulnerability disclosure pipelines and builds institutional memory for European CVE governance independent of MITRE.
Medium term · 0.8

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: Microsoft's September 2022 out-of-band patch for the Kerberos delegation vulnerability (KB5020023) similarly caused domain controller reboots in environments with specific security configurations, was fast-tracked without full regression testing, and required a follow-on patch one week later. The PAM-LSASS case fits the same pattern of complex security-feature interactions producing stability regressions under emergency patch pressure.

Counter-parallel: Check Point Research's visibility into The Gentlemen's victim list via a compromised SystemBC C2 server illustrates the counter-pattern: intelligence-led takedowns of C2 infrastructure produce actionable victim intelligence that proactive law enforcement operations do not. The 1,570-victim count gives UK and EU CERTs a notification list that a conventional takedown without C2 infiltration would not have produced.

Consensus view: Vectra AI's Mark Wojtasiak and the Ponemon Institute's 2025 PAM Risk Report both document that Privileged Access Management-enabled domain controllers are a high-value single point of failure: PAM systems gate administrator credential access, so an LSASS reboot loop on a PAM domain controller takes the credential-gating infrastructure offline rather than just the domain controller itself.

Microsoft's out-of-band patch on 19 April reflects the operational priority of restoring that layer.

Counter-view: Trail of Bits' security engineering team argues that out-of-band patches for domain-controller stability bugs historically carry a higher rate of follow-on issues than standard Patch Tuesday releases, because they are fast-tracked through a compressed test cycle. Organisations that applied KB5091157 immediately should validate domain controller stability before committing to the patch in production-at-scale.

Key tension: Whether the LSASS reboot loop exposed a deeper interaction bug between PAM and LSASS that the out-of-band patch addresses fully, or whether KB5091157 patches the specific trigger while a residual interaction vulnerability remains.

First Reported In

Update #3 · CISA's deadline outruns Palo Alto's patch

BleepingComputer· 8 May 2026

Read original →

Causes and effects

This Event

KB5091157, Gentlemen C2 intel, ENISA CNAs: in brief

A cluster of reinforcing developments: an emergency domain-controller patch, a C2 compromise revealing a ransomware group's true victim count at five times its self-reported figure, and EU CVE governance expanding ahead of Cyber Resilience Act obligations.

Led to

Google closes $32bn Wiz deal; 38 M&A

Portkey's $130m acquisition by Palo Alto Networks and April's 33 M&A deals continue the consolidation trend documented in March's 38 deals.

Occurred 1 Mar 2026

Read story →

ENISA scores NIS2 maturity with NCAF 2.0

ENISA onboarding four new CNAs under ENISA Root advances the EU CVE governance expansion that NCAF 2.0 mapped in NIS2 maturity scoring.

Occurred 22 Apr 2026

Read story →

Different Perspectives

Norwegian Security and Service Organisation

NSSO was a prior victim of Ivanti EPMM zero-days and now faces CVE-2026-6973 in the same product line. Ivanti's position that on-premises EPMM is the only affected tier provides limited reassurance to a government body that has already been compromised twice via the same vendor's MDM infrastructure.

ENISA and EU CNA Ecosystem

ENISA onboarded four new CVE Numbering Authorities under ENISA Root on 6 May, expanding EU-sovereign vulnerability disclosure infrastructure in the same week three critical CVEs entered the CISA KEV catalogue. Greater CNA coverage inside the EU reduces dependence on US-anchored MITRE for European-sourced vulnerability identifiers.

German Federal Office for Information Security (BSI)

BSI rated CVE-2026-41940 in cPanel 'very high', reflecting Germany's exposure across shared-hosting infrastructure for Mittelstand businesses. The 65-day zero-day window and the amplification effect of cPanel's multi-tenancy model mean the BSI rating applies to thousands of German SME websites hosted on affected servers.

Republic of Korea National Intelligence Service

South Korea's NIS tracks UNC1069's tooling evolution; the CSIS paper argues the ROK's intelligence on DPRK cyber operations should feed joint US-ROK situational awareness rather than bilateral channels that move too slowly for real-time supply-chain response.

Democratic People's Republic of Korea

UNC1069's Axios operation scales North Korea's supply-chain access from niche Python packages to the most downloaded HTTP client in the JavaScript ecosystem. WAVESHAPER.V2 provides persistent access to development environments where cryptocurrency wallets and API keys are stored, serving the sanctions-evasion funding logic behind earlier DPRK toolchain operations.

WatchTowr Labs

WatchTowr Labs disclosed CVE-2026-41940 after the 28 April patch shipped, providing the 65-day exploitation timeline from KnownHost telemetry. The disclosure is textbook; the open question is why WebPros did not catch the cpsrvd CRLF class flaw before external researchers found it under active exploitation.