InfoSec Briefing - May 15, 2026

🎧 Audio Briefing

Playback Speed:

Good morning. This is your security briefing for Friday, May 15, 2026. We're covering three articles today. All attribution is by the article authors, and all article analysis is automated.

CISA has added a critical Cisco Catalyst SD-WAN Manager vulnerability to the Known Exploited Vulnerabilities catalog. The authentication bypass flaw, with a maximum severity score of ten point zero, allows unauthenticated remote attackers to gain full administrative privileges by sending crafted requests to a specific network port. The vulnerability is actively being exploited by threat actors targeting internet-exposed SD-WAN management interfaces, and organizations must immediately upgrade to fixed software releases and review their control logs for signs of compromise.

Check Point Research has analyzed The Gentlemen ransomware-as-a-service operation after their internal database was compromised in May 2026, exposing operational details of nine core accounts. The group became the second most productive ransomware operation in early 2026 with approximately three hundred thirty-two victims in five months, targeting high-value corporate entities globally and reusing stolen data to pressure multiple victims.

Security researchers have disclosed YellowKey, a vulnerability that allows attackers with physical access to bypass BitLocker disk encryption on Windows 11 and recent Windows Server versions. The flaw exploits the Windows Recovery Environment by placing specific files in a system directory, then triggering an elevated shell during recovery that grants unrestricted access to protected volumes. The researcher suspects this may be an intentional backdoor due to the suspicious presence of the vulnerable code only in the recovery environment and not in standard Windows installations.

That concludes today's briefing.

📰 Articles Covered

CVE-2026-20182 - CISA KEV

**CVE-2026-20182** is a critical security vulnerability affecting **Cisco Catalyst SD-WAN Controller** (formerly vSmart) and **Cisco Catalyst SD-WAN Manager** (formerly vManage) . It carries a maximum CVSSv3.1 score of **10.0**, indicating a critical severity level .

### Vulnerability Overview
* **Vendor and Product:** Cisco Systems, specifically the Catalyst SD-WAN Controller and Catalyst SD-WAN Manager .
* **Nature of Vulnerability:** It is an **authentication bypass** vulnerability (CWE-287: Improper Authentication) occurring within the control connection handshaking process .
* **Impact:** Attackers can exploit this flaw to bypass authentication mechanisms, effectively gaining **administrative access** to the affected network controllers .

### Exploitation (MITRE ATT&CK T1190)
* **Methodology:** Attackers exploit the vulnerability via the **DTLS port 12346** to bypass authentication . By targeting the control connection handshaking, unauthorized actors can achieve "God Mode" control over the network infrastructure .
* **Threat Actors:** Cisco Talos is actively tracking exploitation of this vulnerability, clustering the observed activity under the identifier **UAT-8616** .
* **Status:** The vulnerability has been added to the **CISA Known Exploited Vulnerabilities (KEV) catalog**, confirming its active use in the wild .

### Mitigation and Defender Guidance
* **Immediate Action:** Organizations using the affected Cisco Catalyst SD-WAN products must **upgrade to the fixed software releases** provided by Cisco immediately .
* **Consult Advisory:** Defenders should review the official [Cisco Security Advisory](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa2-v69WY2SW) for specific version information and Indicators of Compromise (IOCs), such as "Show Control" logs, to determine if their systems have been compromised .
* **Vulnerability Assessment:** Security teams can utilize vulnerability management tools (such as InsightVM or Nexpose) to scan for exposure to this specific flaw .
Thus Spoke…The Gentlemen - Check Point Research

The following precis summarizes the findings from Check Point Research regarding the **The Gentlemen** ransomware-as-a-service (RaaS) operation, following a significant leak of their internal backend database, "**Rocket**," in May 2026 【1】.

### What Happened
On May 4, 2026, the administrator of The Gentlemen acknowledged that their internal database was compromised, exposing the operational details of 9 core accounts 【1】. This leak provided an unprecedented, end-to-end view of a highly active RaaS program that emerged in mid-2025 and became the second most productive operation in early 2026, with approximately 332 victims recorded in the first five months of the year 【1】.

### Who Is Affected
The group targets a wide range of corporate entities, including high-value "tier-1" organizations 【1】. Their operations are global, with evidence of them reusing stolen data from one victim (e.g., a UK consultancy) to apply pressure on another (e.g., a Turkish company) 【1】.

### Security Implications
The Gentlemen operate as a professionalized, human-operated ransomware syndicate. Key implications include:
- **Coordinated Pressure:** Beyond simple encryption, they use sophisticated negotiation playbooks, including dual-pressure tactics where they threaten to expose victims to regulators or legal entities 【1】【1】.
- **Financial Sophistication:** The group employs complex money laundering strategies, including chain-hopping, the use of non-custodial wallets, and converting cryptocurrency to cash via banking infrastructure (e.g., Tinkoff QR codes) or physical OTC delivery 【1】.
- **AI Integration:** The group uses AI for code-assisted development (e.g., building their RaaS panel) and as a quick reference for technical queries, though advanced automated data triage remains largely conceptual 【1】.

### Technical Details
The group follows a repeatable, mature operational workflow 【1】:
- **Initial Access:** Focuses on exposed edge devices (Fortinet, Cisco), credential brute-forcing, and purchasing access from third-party brokers 【1】.
- **Exploitation Pipeline:** They actively track and integrate modern vulnerabilities into their workflow, specifically **CVE-2024-55591** (FortiOS), **CVE-2025-32433** (Erlang/Cisco), and **CVE-2025-33073** (NTLM relay) 【1】.
- **Tooling:** They utilize a robust red-team toolkit, including `NetExec`, `RelayKing`, `CertiHound`, and `ZeroPulse` for C2 【1】.
- **Evasion:** They prioritize disabling security products using "EDR killer" kits (e.g., `gfreeze`, `glinker`) and techniques to manipulate Windows logging and Event Tracing for Windows (ETW) 【1】.

### What Defenders Should Know
To defend against this group, organizations should prioritize the following:
- **Harden Edge Infrastructure:** Immediately secure and patch internet-facing VPNs and management interfaces, as these are the primary entry points 【1】.
- **Close Relay Paths:** Address NTLM relay vulnerabilities and misconfigurations in Active Directory, particularly those related to ADCS (Active Directory Certificate Services) 【1】【1】.
- **Monitor for EDR Tampering:** Implement strict monitoring for attempts to disable security binaries, clear logs, or manipulate ETW, which are hallmarks of this group's evasion strategy 【1】【1】.
- **Backup Security:** Protect backup infrastructure (e.g., Veeam) and management controllers (e.g., iDRAC) from unauthorized access, as these are frequently targeted for privilege escalation 【1】【1】.
YellowKey: YellowKey Bitlocker Bypass Vulnerability - Nightmare-Eclipse

The **YellowKey** vulnerability is a critical security flaw that allows an attacker to bypass **BitLocker** disk encryption on affected Windows systems, granting them unrestricted access to the protected volume 【1】.

### What Happened
The vulnerability involves a flaw within the **Windows Recovery Environment (WinRE)**. By placing specific files into the `System Volume Information\FsTx` directory—either on an external USB drive or directly within the EFI partition of the target disk—an attacker can trigger a shell with elevated privileges during the recovery process 【1】.

### Who Is Affected
The vulnerability specifically impacts modern Windows operating systems, including:
- **Windows 11**
- **Windows Server 2022**
- **Windows Server 2025**

Windows 10 is reportedly not affected by this issue 【1】.

### Security Implications
The researcher characterizes this flaw as a potential **backdoor** rather than a standard bug. This suspicion arises because the component responsible for the vulnerability exists in both standard Windows installations and the WinRE image, but only the WinRE version contains the specific functionality that enables the bypass. The presence of this code in the recovery environment, combined with its absence of a clear functional purpose, has led to speculation that the vulnerability may have been intentional 【1】.

### Technical Details
The exploit is triggered through the following steps:
- The attacker places the `FsTx` folder into the `System Volume Information` directory of a compatible filesystem (NTFS, FAT32, or exFAT) 【1】.
- The target machine is rebooted into the **Windows Recovery Environment (WinRE)** by holding the `SHIFT` key during a restart 【1】.
- By holding the `CTRL` key during the transition to the recovery environment, the system spawns a shell that provides full access to the BitLocker-protected volume 【1】.

### What Defenders Should Know
- **Physical Access Requirement:** The exploit requires physical access to the machine or the ability to manipulate the disk's EFI partition 【1】.
- **Mitigation:** Defenders should monitor for unauthorized access to the EFI partition and restrict physical access to hardware where possible. Given the nature of the vulnerability, organizations should prioritize monitoring for suspicious activity within the WinRE environment and ensure that systems are updated with any patches provided by Microsoft to address this component-level flaw 【1】.