Critical Windows Netlogon Flaw Now Exploited in Attacks

Key Takeaways

• CVE-2026-41089 allows unauthenticated remote code execution on Windows domain controllers
• Belgium's CCB confirms active exploitation in the wild as of May 30, 2026
• All supported Windows Server versions are affected, including Windows Server 2025

Belgium sounds the alarm on active exploitation

The Centre for Cybersecurity Belgium (CCB) warned on Friday that attackers are actively exploiting CVE-2026-41089, a critical vulnerability in Windows Netlogon that Microsoft patched during the May 2026 Patch Tuesday. The flaw carries a CVSS score of 9.8, the highest severity rating.

Netlogon is a Remote Procedure Call (RPC) interface that authenticates users and services on Windows domain-based networks. It runs as a background service on Windows Server and forms a core part of Active Directory infrastructure. A successful exploit gives attackers complete control over domain controllers without needing credentials.

"Patch as quickly as possible," the CCB urged in a tweet on Friday. The agency did not provide details about the attacks or respond to requests for more information from BleepingComputer.

How the vulnerability works

CVE-2026-41089 is a stack-based buffer overflow in the Windows Netlogon service. Microsoft described the attack vector in its advisory: an attacker sends a specially crafted network request to a Windows server acting as a domain controller.

"If successful, this could cause the Netlogon service to improperly handle the request, potentially allowing the attacker to run code on the affected system without needing to sign in or have prior access," Microsoft said.

The vulnerability requires zero authentication. An attacker needs only network access to a domain controller. Once exploited, they gain SYSTEM-level privileges, enabling lateral movement across the network, ransomware deployment, or complete domain takeover.

All Windows Server versions affected

Every currently supported Windows Server version is vulnerable, including Windows Server 2025. Microsoft's internal Windows Attack Research & Protection (WARP) team discovered the flaw and reported it before the May 12 security advisory.

Microsoft has not updated its advisory to confirm active exploitation. A company spokesperson did not reply to BleepingComputer's request for confirmation.

Part of a larger vulnerability wave

The Netlogon exploitation follows a series of Windows zero-days disclosed by an anonymous security researcher known as 'Nightmare Eclipse.' Two weeks ago, Microsoft published mitigation measures for YellowKey (CVE-2026-45585), a BitLocker zero-day that grants access to protected drives.

Nightmare Eclipse has also disclosed BlueHammer (CVE-2026-33825) and RedSun (CVE-2026-41091), both privilege escalation flaws now being exploited in attacks. Other disclosures include GreenPlasma, MiniPlasma, and UnDefend (CVE-2026-45498), which allows standard users to disable Microsoft Defender.

What administrators should do now

Administrators should apply the May 2026 security patches to all domain controllers immediately. Given the zero-authentication attack vector and active exploitation, this vulnerability should receive top-priority change management windows.

• Apply the May 2026 Patch Tuesday updates to all domain controllers
• Prioritize externally accessible or DMZ-adjacent domain controllers
• Monitor Netlogon service logs for unusual authentication patterns
• Review network segmentation to limit exposure of domain controllers
• Test patches in staging environments if immediate production patching is not possible

Community discussions on r/sysadmin and Hacker News show enterprise administrators scrambling to schedule emergency patching windows. Some report concerns about legacy infrastructure compatibility with the new patches.

Why this matters for your network

Domain controllers are the keys to an Active Directory environment. An attacker who compromises a domain controller can create admin accounts, access any system on the network, and exfiltrate data at will. The unauthenticated nature of this exploit makes it especially dangerous. Attackers need only reach a domain controller over the network to gain full control.

Frequently Asked Questions

What is CVE-2026-41089?

CVE-2026-41089 is a critical stack-based buffer overflow vulnerability in the Windows Netlogon service. It allows unauthenticated attackers to execute arbitrary code on domain controllers with SYSTEM privileges.

Which Windows Server versions are affected by the Netlogon vulnerability?

All currently supported Windows Server versions are affected, including Windows Server 2012 through Windows Server 2025.

How can I protect my domain controllers from CVE-2026-41089?

Apply the May 2026 Patch Tuesday security updates immediately. Microsoft released patches on May 12, 2026, that address this vulnerability.

Is CVE-2026-41089 being actively exploited?

Yes. Belgium's Centre for Cybersecurity Belgium (CCB) confirmed active exploitation in the wild as of May 30, 2026.

Does CVE-2026-41089 require authentication to exploit?

No. Attackers can exploit this vulnerability without any credentials or prior access to the system. They need only network access to a domain controller.

Source: BleepingComputer