7JUN

KB5091157, Gentlemen C2 intel, ENISA CNAs: in brief

3 min read

10:08UTC

Microsoft's 19 April emergency KB5091157 fixed LSASS reboot loops on PAM domain controllers. Separately, Check Point Research turned a Gentlemen ransomware SystemBC C2 server into victim intelligence on 1,570 targets, and ENISA onboarded four new CVE Numbering Authorities under ENISA Root on 6 May.

← Back to The 2024 patch that is breaking now Jump to analysis ↓

TechnologyDeveloping

Key takeaway

Gentlemen ransomware has five times more victims than self-reported; ENISA expands EU CVE governance ahead of CRA.

Microsoft issued out-of-band emergency patch KB5091157 on 19 April for Windows Server 2016 through 2025, fixing Local Security Authority Subsystem Service (LSASS) reboot loops on Privileged Access Management (PAM)-enabled domain controllers.¹ PAM governs administrator credentials on corporate networks; unexpected reboots on PAM controllers disrupt credential-gating availability in high-security estates, which is a separate risk class from the vulnerability exploitation covered elsewhere in this briefing.

Check Point Research gained access to a SystemBC command-and-control server operated by The Gentlemen ransomware group and found it holding records on 1,570 victims, roughly five times the 320 the group has posted publicly on its leak site.² The discrepancy matters for insurance and regulatory breach-exposure assessments: public leak-site counts are self-reported by the operator and consistently undercount true victim scope. The real count is visible only when a C2 server is compromised or seized.

DragonForce ransomware has been confirmed using SimpleHelp RMM (Remote Monitoring and Management) flaws CVE-2024-57726 and CVE-2024-57728 as initial access vectors, according to research by Arctic Wolf.³ NHS Digital advisory CC-4623 from 2025 on SimpleHelp exploitation remains applicable. The SimpleHelp entry also appears on the week's KEV additions alongside the CVEs covered in the main briefing.

Palo Alto Networks acquired AI-gateway firm Portkey for an estimated $130 million in April. April cyber M&A ran to 33 deals, down from 38 in March , reflecting a modest deceleration in the sector consolidation pace that the Google/Wiz transaction anchors.⁴

European Union Agency for Cybersecurity (ENISA) onboarded four new CVE Numbering Authorities (CNAs) under its own ENISA Root on 6 May, advancing the EU's independent vulnerability disclosure governance ahead of Cyber Resilience Act (CRA) reporting obligations from September 2026 .⁵ The EU is incrementally reducing its dependence on US CVE programme infrastructure for vulnerability numbering across European product vendors.

Deep Analysis

In plain English

This section covers five smaller developments from the same week. Microsoft released an emergency patch on 19 April for a problem affecting Windows Server domain controllers, the servers that manage user accounts and passwords in large organisations. The problem caused these servers to restart repeatedly in environments using a specific security feature called Privileged Access Management. Check Point Research, a security firm, gained access to a server used by a ransomware group called The Gentlemen to manage its attacks. From that server they were able to identify 1,570 victims, information they shared with authorities. DragonForce, a ransomware group, confirmed using known flaws in a remote-access tool called SimpleHelp to break into organisations. Those flaws were publicly known since early 2024. Palo Alto Networks, a large cybersecurity company, bought an AI security startup called Portkey for around $130 million. Europe's cybersecurity agency ENISA added four new organisations to its network of bodies authorised to officially assign tracking numbers to newly discovered security flaws, reducing European dependence on US processes.

Deep Analysis

Root Causes

The DragonForce confirmation that SimpleHelp RMM flaws CVE-2024-57726 and CVE-2024-57728 served as initial access reflects a recurring structural issue in the remote monitoring and management market: RMM tools are designed to have privileged access to managed endpoints by default, which makes them structurally high-value targets.

The SimpleHelp vulnerabilities were publicly disclosed in January 2024; DragonForce's confirmed use in 2026 indicates a two-year exploitation window for organisations that did not patch.

The Portkey acquisition by Palo Alto Networks for approximately $130 million reflects a consolidation dynamic in the AI-gateway market: as enterprises build more workflows that route prompts through AI APIs, the security of that routing layer has become a procurement concern. Palo Alto's acquisition signals that AI-gateway security is now treated as a perimeter control, not an application feature.

ENISA's onboarding of four new CNAs (CVE Numbering Authorities) under ENISA Root on 6 May reflects the EU's sustained effort to reduce dependence on MITRE's US-based CVE allocation process. Each European CNA reduces the number of European vulnerability disclosures that route through a US institution.

What could happen next?

Risk
Organisations using PAM-enabled domain controllers that applied KB5091157 should validate domain controller stability and confirm no follow-on interaction bugs exist before treating the patch as a complete resolution.
Immediate · 0.75
Consequence
Check Point's C2-infiltration technique on The Gentlemen's SystemBC server demonstrates that victim intelligence obtained through counter-operations exceeds what law enforcement takedown notices produce, adding a tactical argument for offensive-defensive blended approaches in ransomware disruption.
Short term · 0.7
Opportunity
ENISA's expansion of the European CNA network under ENISA Root reduces single-point-of-failure risk in EU vulnerability disclosure pipelines and builds institutional memory for European CVE governance independent of MITRE.
Medium term · 0.8

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: Microsoft's September 2022 out-of-band patch for the Kerberos delegation vulnerability (KB5020023) similarly caused domain controller reboots in environments with specific security configurations, was fast-tracked without full regression testing, and required a follow-on patch one week later. The PAM-LSASS case fits the same pattern of complex security-feature interactions producing stability regressions under emergency patch pressure.

Counter-parallel: Check Point Research's visibility into The Gentlemen's victim list via a compromised SystemBC C2 server illustrates the counter-pattern: intelligence-led takedowns of C2 infrastructure produce actionable victim intelligence that proactive law enforcement operations do not. The 1,570-victim count gives UK and EU CERTs a notification list that a conventional takedown without C2 infiltration would not have produced.

Consensus view: Vectra AI's Mark Wojtasiak and the Ponemon Institute's 2025 PAM Risk Report both document that Privileged Access Management-enabled domain controllers are a high-value single point of failure: PAM systems gate administrator credential access, so an LSASS reboot loop on a PAM domain controller takes the credential-gating infrastructure offline rather than just the domain controller itself.

Microsoft's out-of-band patch on 19 April reflects the operational priority of restoring that layer.

Counter-view: Trail of Bits' security engineering team argues that out-of-band patches for domain-controller stability bugs historically carry a higher rate of follow-on issues than standard Patch Tuesday releases, because they are fast-tracked through a compressed test cycle. Organisations that applied KB5091157 immediately should validate domain controller stability before committing to the patch in production-at-scale.

Key tension: Whether the LSASS reboot loop exposed a deeper interaction bug between PAM and LSASS that the out-of-band patch addresses fully, or whether KB5091157 patches the specific trigger while a residual interaction vulnerability remains.

First Reported In

Update #3 · CISA's deadline outruns Palo Alto's patch

BleepingComputer· 8 May 2026

Read original →

Causes and effects

This Event

KB5091157, Gentlemen C2 intel, ENISA CNAs: in brief

A cluster of reinforcing developments: an emergency domain-controller patch, a C2 compromise revealing a ransomware group's true victim count at five times its self-reported figure, and EU CVE governance expanding ahead of Cyber Resilience Act obligations.

Led to

Google closes $32bn Wiz deal; 38 M&A

Portkey's $130m acquisition by Palo Alto Networks and April's 33 M&A deals continue the consolidation trend documented in March's 38 deals.

Occurred 1 Mar 2026

Read story →

ENISA scores NIS2 maturity with NCAF 2.0

ENISA onboarding four new CNAs under ENISA Root advances the EU CVE governance expansion that NCAF 2.0 mapped in NIS2 maturity scoring.

Occurred 22 Apr 2026

Read story →

Different Perspectives

Australian Cyber Security Centre (ACSC)

Australia's 18 of 95 May ransomware victims, nearly 19 per cent of global disclosed attacks against 0.3 per cent of global GDP, reflects end-of-life Windows Server concentration in healthcare, under-resourced national incident-response capacity, and time-zone isolation that slows vendor-assisted containment during peak attack windows.

Europol / international law enforcement

Operation Saffron's 27-country coordination set a new geographic breadth record for criminal-infrastructure seizure. The absence of an arrest alongside the server seizures limits durable impact: VPNLab.net and DoubleVPN precedents show gangs reconstitute on alternative hosts within two to four weeks.

UK Parliament (Cyber Security and Resilience Bill)

The Bill reaches Commons Report Stage on 10 June with penalties up to 4 per cent of global turnover. Qilin's NHS Synnovis attack in June 2024 and INC_RANSOM's Stuga Machinery posting on 5 June give the legislation a domestic evidence base connecting KEV-class exposure directly to UK CNI and supply-chain targeting.

German BSI / EU enterprise operator perspective

The 17-month lag between Oracle's January 2024 WebLogic patch and active exploitation confirms that CVSS 7.5 keeps a flaw below emergency-patch thresholds in most programmes, even when T3/IIOP exploitation is a documented recurring chain. BSI's T3/IIOP disablement guidance offers a network-layer mitigation that survives Oracle's quarterly patch cycle without requiring unscheduled downtime.

ENISA / EU cybersecurity regulator

NIS360's risk-zone designations for water and rail, following NCAF 2.0 in April, give member-state authorities a documented enforcement basis under NIS2. Fine ceilings at EUR 10 million cover essential entities; sub-threshold municipal water operators fall outside that scope, so designation without sector-level funding creates a perverse incentive to defer rather than remediate.

US federal CISO (FCEB agency)

Four staggered June deadlines covered WebLogic middleware, Linux containers, Android device fleets and Magento storefronts in a single fortnight, forcing triage that exposes whichever stack ranks lowest. CISA's proposed $707 million budget cut alongside this enforcement acceleration creates a direct credibility gap: the mandate grows while the capacity to sustain it shrinks.