Critical Windows Netlogon Flaw Now Exploited in Attacks
Key Takeaways
- CVE-2026-41089 allows unauthenticated remote code execution on Windows domain controllers
- Belgium's CCB confirms active exploitation in the wild as of May 30, 2026
- All supported Windows Server versions are affected, including Windows Server 2025
Belgium sounds the alarm on active exploitation
The Centre for Cybersecurity Belgium (CCB) warned on Friday that attackers are actively exploiting CVE-2026-41089, a critical vulnerability in Windows Netlogon that Microsoft patched during the May 2026 Patch Tuesday. The flaw carries a CVSS score of 9.8, the highest severity rating.
Netlogon is a Remote Procedure Call (RPC) interface that authenticates users and services on Windows domain-based networks. It runs as a background service on Windows Server and forms a core part of Active Directory infrastructure. A successful exploit gives attackers complete control over domain controllers without needing credentials.
"Patch as quickly as possible," the CCB urged in a tweet on Friday. The agency did not provide details about the attacks or respond to requests for more information from BleepingComputer.
How the vulnerability works
CVE-2026-41089 is a stack-based buffer overflow in the Windows Netlogon service. Microsoft described the attack vector in its advisory: an attacker sends a specially crafted network request to a Windows server acting as a domain controller.
"If successful, this could cause the Netlogon service to improperly handle the request, potentially allowing the attacker to run code on the affected system without needing to sign in or have prior access," Microsoft said.
The vulnerability requires zero authentication. An attacker needs only network access to a domain controller. Once exploited, they gain SYSTEM-level privileges, enabling lateral movement across the network, ransomware deployment, or complete domain takeover.
All Windows Server versions affected
Every currently supported Windows Server version is vulnerable, including Windows Server 2025. Microsoft's internal Windows Attack Research & Protection (WARP) team discovered the flaw and reported it before the May 12 security advisory.
Microsoft has not updated its advisory to confirm active exploitation. A company spokesperson did not reply to BleepingComputer's request for confirmation.
Part of a larger vulnerability wave
The Netlogon exploitation follows a series of Windows zero-days disclosed by an anonymous security researcher known as 'Nightmare Eclipse.' Two weeks ago, Microsoft published mitigation measures for YellowKey (CVE-2026-45585), a BitLocker zero-day that grants access to protected drives.
Nightmare Eclipse has also disclosed BlueHammer (CVE-2026-33825) and RedSun (CVE-2026-41091), both privilege escalation flaws now being exploited in attacks. Other disclosures include GreenPlasma, MiniPlasma, and UnDefend (CVE-2026-45498), which allows standard users to disable Microsoft Defender.
What administrators should do now
Administrators should apply the May 2026 security patches to all domain controllers immediately. Given the zero-authentication attack vector and active exploitation, this vulnerability should receive top-priority change management windows.
- Apply the May 2026 Patch Tuesday updates to all domain controllers
- Prioritize externally accessible or DMZ-adjacent domain controllers
- Monitor Netlogon service logs for unusual authentication patterns
- Review network segmentation to limit exposure of domain controllers
- Test patches in staging environments if immediate production patching is not possible
Community discussions on r/sysadmin and Hacker News show enterprise administrators scrambling to schedule emergency patching windows. Some report concerns about legacy infrastructure compatibility with the new patches.
Why this matters for your network
Domain controllers are the keys to an Active Directory environment. An attacker who compromises a domain controller can create admin accounts, access any system on the network, and exfiltrate data at will. The unauthenticated nature of this exploit makes it especially dangerous. Attackers need only reach a domain controller over the network to gain full control.
Logicity's Take
Frequently Asked Questions
What is CVE-2026-41089?
CVE-2026-41089 is a critical stack-based buffer overflow vulnerability in the Windows Netlogon service. It allows unauthenticated attackers to execute arbitrary code on domain controllers with SYSTEM privileges.
Which Windows Server versions are affected by the Netlogon vulnerability?
All currently supported Windows Server versions are affected, including Windows Server 2012 through Windows Server 2025.
How can I protect my domain controllers from CVE-2026-41089?
Apply the May 2026 Patch Tuesday security updates immediately. Microsoft released patches on May 12, 2026, that address this vulnerability.
Is CVE-2026-41089 being actively exploited?
Yes. Belgium's Centre for Cybersecurity Belgium (CCB) confirmed active exploitation in the wild as of May 30, 2026.
Does CVE-2026-41089 require authentication to exploit?
No. Attackers can exploit this vulnerability without any credentials or prior access to the system. They need only network access to a domain controller.
Need Help Implementing This?
Source: BleepingComputer
Huma Shazia
Senior AI & Tech Writer
Related Articles
Browse all
Kraken Crypto Exchange Extortion: Hackers Threaten to Leak Internal Videos After Insider Breach
Cryptocurrency exchange Kraken is being extorted by hackers who obtained videos of internal systems through bribed support employees. The company says no funds were compromised and refuses to pay, with only about 2,000 accounts affected. Kraken is working with federal law enforcement to prosecute everyone involved.
Windows 11 KB5083769 and KB5082052: April 2026 Patch Tuesday Brings Smart App Control Changes and Security Fixes
Microsoft's April 2026 Patch Tuesday updates are now live for Windows 11, bringing critical security patches alongside a welcome change to Smart App Control. You can finally toggle SAC on or off without wiping your entire system. The updates cover versions 23H2, 24H2, and 25H2.
Zero Trust Identity Security: 5 Ways This Framework Actually Stops Credential Theft
Stolen credentials caused 22% of breaches in 2025, making them the top attack vector. Zero Trust promises to fix this, but only when it's built around identity as the core principle. Here's how organizations can implement it properly.
Open Source PR Backlogs: Why Your GitHub Contribution Sits Unreviewed for a Year
A developer's Jellyfin pull request has been waiting over a year for merge despite two approvals, exposing a systemic crisis in open source maintenance. Queuing theory explains why backlogs grow exponentially, and 60% of maintainers have quit or considered quitting due to burnout.
Also Read
10 Procurement Tools That Actually Streamline Spending
Zapier's 2026 review of procurement software identifies the best tools for automating purchase requests, managing vendors, and controlling spend. From Precoro's quick setup to SAP Ariba's global supply chain reach, each platform targets different company sizes and needs.
Windows 11 Gets Haptic Feedback, But 85% of Users Can't Feel It
Microsoft's latest Windows 11 update introduces Haptic Signals, providing tactile feedback for actions like window snapping and object alignment. The feature mirrors what Apple has offered since 2015, but there's a catch: only about 15% of Windows laptops have the required haptic trackpads.
3 Bright Planets Light Up June's Night Sky
Venus and Jupiter will appear less than two degrees apart on June 9, creating a rare close conjunction visible to the naked eye. Mercury joins the pair mid-month, forming a diagonal planetary lineup in the west-northwest sky. Saturn and Mars offer early morning viewing opportunities throughout June.