14JUN

KB5091157, Gentlemen C2 intel, ENISA CNAs: in brief

3 min read

11:51UTC

Microsoft's 19 April emergency KB5091157 fixed LSASS reboot loops on PAM domain controllers. Separately, Check Point Research turned a Gentlemen ransomware SystemBC C2 server into victim intelligence on 1,570 targets, and ENISA onboarded four new CVE Numbering Authorities under ENISA Root on 6 May.

← Back to VPN zero-day, no-patch KEV, late Exchange Jump to analysis ↓

TechnologyDeveloping

Key takeaway

Gentlemen ransomware has five times more victims than self-reported; ENISA expands EU CVE governance ahead of CRA.

Microsoft issued out-of-band emergency patch KB5091157 on 19 April for Windows Server 2016 through 2025, fixing Local Security Authority Subsystem Service (LSASS) reboot loops on Privileged Access Management (PAM)-enabled domain controllers.¹ PAM governs administrator credentials on corporate networks; unexpected reboots on PAM controllers disrupt credential-gating availability in high-security estates, which is a separate risk class from the vulnerability exploitation covered elsewhere in this briefing.

Check Point Research gained access to a SystemBC command-and-control server operated by The Gentlemen ransomware group and found it holding records on 1,570 victims, roughly five times the 320 the group has posted publicly on its leak site.² The discrepancy matters for insurance and regulatory breach-exposure assessments: public leak-site counts are self-reported by the operator and consistently undercount true victim scope. The real count is visible only when a C2 server is compromised or seized.

DragonForce ransomware has been confirmed using SimpleHelp RMM (Remote Monitoring and Management) flaws CVE-2024-57726 and CVE-2024-57728 as initial access vectors, according to research by Arctic Wolf.³ NHS Digital advisory CC-4623 from 2025 on SimpleHelp exploitation remains applicable. The SimpleHelp entry also appears on the week's KEV additions alongside the CVEs covered in the main briefing.

Palo Alto Networks acquired AI-gateway firm Portkey for an estimated $130 million in April. April cyber M&A ran to 33 deals, down from 38 in March , reflecting a modest deceleration in the sector consolidation pace that the Google/Wiz transaction anchors.⁴

European Union Agency for Cybersecurity (ENISA) onboarded four new CVE Numbering Authorities (CNAs) under its own ENISA Root on 6 May, advancing the EU's independent vulnerability disclosure governance ahead of Cyber Resilience Act (CRA) reporting obligations from September 2026 .⁵ The EU is incrementally reducing its dependence on US CVE programme infrastructure for vulnerability numbering across European product vendors.

Deep Analysis

In plain English

This section covers five smaller developments from the same week. Microsoft released an emergency patch on 19 April for a problem affecting Windows Server domain controllers, the servers that manage user accounts and passwords in large organisations. The problem caused these servers to restart repeatedly in environments using a specific security feature called Privileged Access Management. Check Point Research, a security firm, gained access to a server used by a ransomware group called The Gentlemen to manage its attacks. From that server they were able to identify 1,570 victims, information they shared with authorities. DragonForce, a ransomware group, confirmed using known flaws in a remote-access tool called SimpleHelp to break into organisations. Those flaws were publicly known since early 2024. Palo Alto Networks, a large cybersecurity company, bought an AI security startup called Portkey for around $130 million. Europe's cybersecurity agency ENISA added four new organisations to its network of bodies authorised to officially assign tracking numbers to newly discovered security flaws, reducing European dependence on US processes.

Deep Analysis

Root Causes

The DragonForce confirmation that SimpleHelp RMM flaws CVE-2024-57726 and CVE-2024-57728 served as initial access reflects a recurring structural issue in the remote monitoring and management market: RMM tools are designed to have privileged access to managed endpoints by default, which makes them structurally high-value targets.

The SimpleHelp vulnerabilities were publicly disclosed in January 2024; DragonForce's confirmed use in 2026 indicates a two-year exploitation window for organisations that did not patch.

The Portkey acquisition by Palo Alto Networks for approximately $130 million reflects a consolidation dynamic in the AI-gateway market: as enterprises build more workflows that route prompts through AI APIs, the security of that routing layer has become a procurement concern. Palo Alto's acquisition signals that AI-gateway security is now treated as a perimeter control, not an application feature.

ENISA's onboarding of four new CNAs (CVE Numbering Authorities) under ENISA Root on 6 May reflects the EU's sustained effort to reduce dependence on MITRE's US-based CVE allocation process. Each European CNA reduces the number of European vulnerability disclosures that route through a US institution.

What could happen next?

Risk
Organisations using PAM-enabled domain controllers that applied KB5091157 should validate domain controller stability and confirm no follow-on interaction bugs exist before treating the patch as a complete resolution.
Immediate · 0.75
Consequence
Check Point's C2-infiltration technique on The Gentlemen's SystemBC server demonstrates that victim intelligence obtained through counter-operations exceeds what law enforcement takedown notices produce, adding a tactical argument for offensive-defensive blended approaches in ransomware disruption.
Short term · 0.7
Opportunity
ENISA's expansion of the European CNA network under ENISA Root reduces single-point-of-failure risk in EU vulnerability disclosure pipelines and builds institutional memory for European CVE governance independent of MITRE.
Medium term · 0.8

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: Microsoft's September 2022 out-of-band patch for the Kerberos delegation vulnerability (KB5020023) similarly caused domain controller reboots in environments with specific security configurations, was fast-tracked without full regression testing, and required a follow-on patch one week later. The PAM-LSASS case fits the same pattern of complex security-feature interactions producing stability regressions under emergency patch pressure.

Counter-parallel: Check Point Research's visibility into The Gentlemen's victim list via a compromised SystemBC C2 server illustrates the counter-pattern: intelligence-led takedowns of C2 infrastructure produce actionable victim intelligence that proactive law enforcement operations do not. The 1,570-victim count gives UK and EU CERTs a notification list that a conventional takedown without C2 infiltration would not have produced.

Consensus view: Vectra AI's Mark Wojtasiak and the Ponemon Institute's 2025 PAM Risk Report both document that Privileged Access Management-enabled domain controllers are a high-value single point of failure: PAM systems gate administrator credential access, so an LSASS reboot loop on a PAM domain controller takes the credential-gating infrastructure offline rather than just the domain controller itself.

Microsoft's out-of-band patch on 19 April reflects the operational priority of restoring that layer.

Counter-view: Trail of Bits' security engineering team argues that out-of-band patches for domain-controller stability bugs historically carry a higher rate of follow-on issues than standard Patch Tuesday releases, because they are fast-tracked through a compressed test cycle. Organisations that applied KB5091157 immediately should validate domain controller stability before committing to the patch in production-at-scale.

Key tension: Whether the LSASS reboot loop exposed a deeper interaction bug between PAM and LSASS that the out-of-band patch addresses fully, or whether KB5091157 patches the specific trigger while a residual interaction vulnerability remains.

First Reported In

Update #3 · CISA's deadline outruns Palo Alto's patch

BleepingComputer· 8 May 2026

Read original →

Causes and effects

This Event

KB5091157, Gentlemen C2 intel, ENISA CNAs: in brief

A cluster of reinforcing developments: an emergency domain-controller patch, a C2 compromise revealing a ransomware group's true victim count at five times its self-reported figure, and EU CVE governance expanding ahead of Cyber Resilience Act obligations.

Led to

Google closes $32bn Wiz deal; 38 M&A

Portkey's $130m acquisition by Palo Alto Networks and April's 33 M&A deals continue the consolidation trend documented in March's 38 deals.

Occurred 1 Mar 2026

Read story →

ENISA scores NIS2 maturity with NCAF 2.0

ENISA onboarding four new CNAs under ENISA Root advances the EU CVE governance expansion that NCAF 2.0 mapped in NIS2 maturity scoring.

Occurred 22 Apr 2026

Read story →

Different Perspectives

Beijing-aligned attribution sceptics

CNCERT has noted that Western KEV ransomware-risk flags on DoS-only flaws such as Serv-U CVE-2026-28318 conflate disruption capability with breach capability, and that CJEU referrals for NIS2 non-transposition create compliance obligations that presuppose software-patchable architectures the Arista case shows are not universal.

Enterprise security buyers

Three successive KEV cycles in which federal deadlines precede, exceed or are refused by vendor patches require buyers to re-weight patch-SLA contractual terms: the KEV deadline is now the planning constraint, not the vendor advisory, and procurement due diligence must cover whether a hardware platform is even patchable in principle.

Check Point

Check Point disclosed CVE-2026-50751 and shipped a hotfix on 8 June, roughly 30 days after exploitation had begun, with a Qilin affiliate already inside at least one victim. Its delayed disclosure on a CVSS 9.3 perimeter bypass leaves customers to absorb a month-long pre-patch exposure window under CISA's three-day federal deadline.

European Commission and ENISA

NIS2 full personal-liability enforcement from 1 June and CJEU referrals against laggard member states represent the sharpest regulatory escalation in EU cyber history, backed by ENISA NIS360 sector-maturity evidence naming water, rail and waste water as the priority enforcement targets. NCAF 2.0 and NIS360 function as audit instruments rather than political signals.

UK NCSC

The NCSC issued the Dutch NCSC's imminent-abuse warning on the Check Point flaw in the same fortnight its sponsoring legislation cleared the Commons, widening incident-reporting duties to cover attacker pre-positioning. The payment-reporting gap left by the CS&R Bill means the NCSC continues to rely on voluntary Early Warning submissions for ransomware economics data.

US Federal CISO community

Federal CISOs face three active compliance obligations without a clean resolution: a three-day Check Point deadline met with a hotfix, a 23 June Arista deadline partially met with ACLs only, and a 16-day Exchange overrun still being fully remediated. BOD 22-01 is operating as an urgency signal but not as a vendor-cooperation mechanism.