Skip to content
Briefings are running a touch slower this week while we rebuild the foundations.See roadmap
Cybersecurity: Threats and Defences
29MAY

KB5091157, Gentlemen C2 intel, ENISA CNAs: in brief

3 min read
14:17UTC

Microsoft's 19 April emergency KB5091157 fixed LSASS reboot loops on PAM domain controllers. Separately, Check Point Research turned a Gentlemen ransomware SystemBC C2 server into victim intelligence on 1,570 targets, and ENISA onboarded four new CVE Numbering Authorities under ENISA Root on 6 May.

← Back to GitHub's own code cloned via VS Code add-onJump to analysis ↓
TechnologyDeveloping
Key takeaway

Gentlemen ransomware has five times more victims than self-reported; ENISA expands EU CVE governance ahead of CRA.

Microsoft issued out-of-band emergency patch KB5091157 on 19 April for Windows Server 2016 through 2025, fixing Local Security Authority Subsystem Service (LSASS) reboot loops on Privileged Access Management (PAM)-enabled domain controllers.1 PAM governs administrator credentials on corporate networks; unexpected reboots on PAM controllers disrupt credential-gating availability in high-security estates, which is a separate risk class from the vulnerability exploitation covered elsewhere in this briefing.

Check Point Research gained access to a SystemBC command-and-control server operated by The Gentlemen ransomware group and found it holding records on 1,570 victims, roughly five times the 320 the group has posted publicly on its leak site.2 The discrepancy matters for insurance and regulatory breach-exposure assessments: public leak-site counts are self-reported by the operator and consistently undercount true victim scope. The real count is visible only when a C2 server is compromised or seized.

DragonForce ransomware has been confirmed using SimpleHelp RMM (Remote Monitoring and Management) flaws CVE-2024-57726 and CVE-2024-57728 as initial access vectors, according to research by Arctic Wolf.3 NHS Digital advisory CC-4623 from 2025 on SimpleHelp exploitation remains applicable. The SimpleHelp entry also appears on the week's KEV additions alongside the CVEs covered in the main briefing.

Palo Alto Networks acquired AI-gateway firm Portkey for an estimated $130 million in April. April cyber M&A ran to 33 deals, down from 38 in March , reflecting a modest deceleration in the sector consolidation pace that the Google/Wiz transaction anchors.4

European Union Agency for Cybersecurity (ENISA) onboarded four new CVE Numbering Authorities (CNAs) under its own ENISA Root on 6 May, advancing the EU's independent vulnerability disclosure governance ahead of Cyber Resilience Act (CRA) reporting obligations from September 2026 .5 The EU is incrementally reducing its dependence on US CVE programme infrastructure for vulnerability numbering across European product vendors.

Deep Analysis

In plain English

This section covers five smaller developments from the same week. Microsoft released an emergency patch on 19 April for a problem affecting Windows Server domain controllers, the servers that manage user accounts and passwords in large organisations. The problem caused these servers to restart repeatedly in environments using a specific security feature called Privileged Access Management. Check Point Research, a security firm, gained access to a server used by a ransomware group called The Gentlemen to manage its attacks. From that server they were able to identify 1,570 victims, information they shared with authorities. DragonForce, a ransomware group, confirmed using known flaws in a remote-access tool called SimpleHelp to break into organisations. Those flaws were publicly known since early 2024. Palo Alto Networks, a large cybersecurity company, bought an AI security startup called Portkey for around $130 million. Europe's cybersecurity agency ENISA added four new organisations to its network of bodies authorised to officially assign tracking numbers to newly discovered security flaws, reducing European dependence on US processes.

Deep Analysis
Root Causes

The DragonForce confirmation that SimpleHelp RMM flaws CVE-2024-57726 and CVE-2024-57728 served as initial access reflects a recurring structural issue in the remote monitoring and management market: RMM tools are designed to have privileged access to managed endpoints by default, which makes them structurally high-value targets.

The SimpleHelp vulnerabilities were publicly disclosed in January 2024; DragonForce's confirmed use in 2026 indicates a two-year exploitation window for organisations that did not patch.

The Portkey acquisition by Palo Alto Networks for approximately $130 million reflects a consolidation dynamic in the AI-gateway market: as enterprises build more workflows that route prompts through AI APIs, the security of that routing layer has become a procurement concern. Palo Alto's acquisition signals that AI-gateway security is now treated as a perimeter control, not an application feature.

ENISA's onboarding of four new CNAs (CVE Numbering Authorities) under ENISA Root on 6 May reflects the EU's sustained effort to reduce dependence on MITRE's US-based CVE allocation process. Each European CNA reduces the number of European vulnerability disclosures that route through a US institution.

What could happen next?
  • Risk

    Organisations using PAM-enabled domain controllers that applied KB5091157 should validate domain controller stability and confirm no follow-on interaction bugs exist before treating the patch as a complete resolution.

    Immediate · 0.75
  • Consequence

    Check Point's C2-infiltration technique on The Gentlemen's SystemBC server demonstrates that victim intelligence obtained through counter-operations exceeds what law enforcement takedown notices produce, adding a tactical argument for offensive-defensive blended approaches in ransomware disruption.

    Short term · 0.7
  • Opportunity

    ENISA's expansion of the European CNA network under ENISA Root reduces single-point-of-failure risk in EU vulnerability disclosure pipelines and builds institutional memory for European CVE governance independent of MITRE.

    Medium term · 0.8
Sources:BleepingComputer·Check Point Research / The Hacker News·Arctic Wolf / CISA
Mentions:Privileged Access Management →CVE-2023-50224 →ENISA →Cyber Resilience Act →Google →European Union →NHS →Portkey →Local Security Authority Subsystem Service (LSASS) →SimpleHelp →Arctic Wolf →CC-4623 →CNAs →Windows Server →The Gentlemen →Check Point Research →SystemBC →RMM →Microsoft KB5091157 →Known Exploited Vulnerabilities →Microsoft →DragonForce →Palo Alto Networks →NHS Digital →
First Reported In

Update #3 · CISA's deadline outruns Palo Alto's patch

BleepingComputer· 8 May 2026
Read original
Causes and effects
This Event
KB5091157, Gentlemen C2 intel, ENISA CNAs: in brief
A cluster of reinforcing developments: an emergency domain-controller patch, a C2 compromise revealing a ransomware group's true victim count at five times its self-reported figure, and EU CVE governance expanding ahead of Cyber Resilience Act obligations.
Led to
Google closes $32bn Wiz deal; 38 M&A
Portkey's $130m acquisition by Palo Alto Networks and April's 33 M&A deals continue the consolidation trend documented in March's 38 deals.
Occurred 1 Mar 2026
Read story →
ENISA scores NIS2 maturity with NCAF 2.0
ENISA onboarding four new CNAs under ENISA Root advances the EU CVE governance expansion that NCAF 2.0 mapped in NIS2 maturity scoring.
Occurred 22 Apr 2026
Read story →
Different Perspectives
Google Threat Intelligence Group
Google Threat Intelligence Group
GTIG's attribution of the GitHub breach extends UNC6780's documented arc from SAP npm through Cisco AI Defense to GitHub's own estate; its 36-hour LiteLLM exploitation set the speed benchmark CISA AA26-148A is designed to address. GTIG's published tracking gives defenders the actor profile needed to assess their own developer-toolchain exposure.
Enterprise security buyers / CISO community
Enterprise security buyers / CISO community
For enterprise security leaders, two KEV AI-orchestration entries in three weeks (LiteLLM 8 May, Langflow 21 May) convert shadow AI tooling from a governance risk to a confirmed attack surface requiring immediate software asset inventory. The 65 per cent gap in enterprise AI tool inventories documented by Wiz Research is now a liability rather than a compliance footnote.
DSIT / UK Government
DSIT / UK Government
DSIT framed the £14.7 billion sector figure and the Cyber Resilience Pledge as a paired signal: commercial strength alongside supply-chain accountability, with £90 million targeting the NHS supplier exposure this briefing's threat events directly illustrate. The voluntary Pledge's enforceability gap, prior to the Cyber Security and Resilience Bill reaching Royal Assent, is the question its launch does not answer.
GitHub / Microsoft
GitHub / Microsoft
GitHub confirmed that no customer repositories or user data were affected by the Nx Console breach, but acknowledged approximately 3,800 internal repositories were cloned and referred to CISA Alert AA26-148A's allow-listing guidance. The incident puts Microsoft in the position of operating a marketplace whose publisher-verification gap is now a documented attack vector in a federal advisory.
Tsinghua University Institute for International Strategic Studies
Tsinghua University Institute for International Strategic Studies
Beijing-aligned commentary rejects US attribution of PRC-nexus clusters (UNC2814, APT45, UAT-8616) as politically motivated framing, characterising the April sixteen-agency joint advisory as coordinated Western pressure rather than independent technical assessment.
Cisco
Cisco
Cisco has not confirmed the UNC6780 breach scope beyond the named AI Defense and AI Assistant projects; GitHub confirmed an investigation. CVE-2026-20182 is the sixth Cisco SD-WAN KEV entry in 2026, reaching that milestone the same week UNC6780's source-code visibility into the portfolio became public.