Cybersecurity

Critical Windows Netlogon RCE CVE-2026-41089 Now Exploited in Attacks — Full Breakdown and Remediation Guide

Windows Netlogon RCE CVE-2026-41089 domain controller vulnerability exploit
Active Exploitation Confirmed: If your organisation runs Windows Server domain controllers (2012 or newer) and has not applied the May 2026 Patch Tuesday updates, patch now. Belgium’s CCB has confirmed active exploitation of CVE-2026-41089.

A critical vulnerability in Windows Netlogon patched during Microsoft’s May 2026 Patch Tuesday is now being actively exploited in the wild. Belgium’s Centre for Cybersecurity (CCB) confirmed exploitation on May 30, 2026, urging administrators to “patch as quickly as possible.” The flaw, tracked as CVE-2026-41089 with a CVSS score of 9.8, allows unauthenticated attackers to execute arbitrary code on Windows domain controllers at SYSTEM privilege — zero credentials, zero user interaction, zero prior foothold required.

Security researchers have drawn immediate comparisons to Zerologon (CVE-2020-1472) — the 2020 Netlogon vulnerability that went from advisory to weaponised exploit in under two weeks and fuelled widespread ransomware campaigns. CVE-2026-41089 shares the same attack surface: every network-reachable domain controller.

What Is the Netlogon Service?

The Windows Netlogon service (Netlogon Remote Protocol, MS-NRPC) is the authentication backbone of every Windows Active Directory domain. It handles: domain logon requests, machine account authentication, secure channel establishment between member servers and domain controllers, domain controller replication, and pass-through authentication in multi-domain forests.

Domain controllers running Netlogon are the highest-value target in most Windows enterprise environments. Compromising a domain controller means compromising the entire Windows infrastructure: all user accounts, all access permissions, all group policies, all security boundaries.

CVE-2026-41089 — Technical Detail

CVE-2026-41089 is a stack-based buffer overflow in the Netlogon service. Microsoft’s Windows Attack Research and Protection (WARP) team identified it, with disclosure on May 12, 2026. An attacker sends a specially crafted network packet to the Netlogon service. The service improperly validates the input, allowing data to overflow the stack buffer, corrupt adjacent memory, and redirect code execution — gaining SYSTEM-level privilege on the domain controller.

Attack chain:

  1. Attacker gains network access to a domain controller’s Netlogon service (port 135/TCP + dynamic RPC)
  2. Attacker sends a malformed Netlogon authentication request
  3. Buffer overflow corrupts the Netlogon service execution stack
  4. Attacker achieves SYSTEM-level remote code execution on the DC
  5. Full Active Directory forest compromise is achievable from this position

Why This Is Exceptionally Dangerous

Zero authentication required: Attacker needs only network connectivity to a domain controller’s Netlogon port. No credentials, no domain membership, no prior foothold.

Zero user interaction: The exploit fires as a pure network attack. No phishing. Exploitable 24/7 against any unpatched domain controller that is network-reachable.

SYSTEM-level execution on a domain controller enables:

  • Creating or modifying any Active Directory account including domain admin accounts
  • Resetting passwords for any user in the domain
  • Modifying Group Policy to deploy malware across all managed systems
  • Disabling Windows Defender and other security controls
  • Extracting the NTDS.dit database containing password hashes for every domain user
  • Establishing persistent access and lateral movement to every domain-joined system

Affected Systems

Windows Server Version Affected Patch Available
Windows Server 2025 Yes May 2026 Patch Tuesday
Windows Server 2022 Yes May 2026 Patch Tuesday
Windows Server 2019 Yes May 2026 Patch Tuesday
Windows Server 2016 Yes May 2026 Patch Tuesday
Windows Server 2012/R2 Yes Micropatch via Acros 0patch

Detection Indicators

Network indicators: Anomalous Netlogon traffic (port 135 + dynamic RPC) from non-DC source addresses; high-volume Netlogon requests from a single source; Netlogon connections from unexpected network segments.

System indicators: Netlogon service (netlogon.exe) unexpectedly crashing or restarting; unexpected new processes launched from the Netlogon process; new administrator accounts in Active Directory not provisioned by IT; modifications to Group Policy Objects at unusual times.

Event log sources: System log Event IDs 5805, 5723; Security log Event IDs 4720, 4728, 4672; Netlogon.log at %SystemRoot%\debug\netlogon.log for authentication anomalies.

Immediate Remediation Steps

  1. Patch immediately — Deploy May 2026 Patch Tuesday updates to all domain controllers. Start with most exposed (internet-adjacent) and work inward. Do not wait for scheduled maintenance.
  2. Network segmentation — Verify DCs are not reachable from untrusted network segments. Netlogon traffic should only be permitted from known member servers, other DCs, and management systems.
  3. Enable Netlogon logging — Set HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DBFlag to 0x2080ffff and review logs for anomalous patterns.
  4. Audit new accounts — Report on administrator accounts created since May 12, 2026 and verify each is legitimate.
  5. Review firewall rules — Confirm RPC endpoint mapper (port 135) and dynamic RPC ports are not exposed beyond necessary segments.

Cybersecurity Services · Saudi Arabia & GCC

Are your domain controllers and Active Directory protected?

Visit To Me provides Windows Server security hardening, Active Directory security audits, patch management SLA design, and NCA ECC compliance support for organisations in Saudi Arabia and the GCC. We audit your domain controllers, identify exposure, and implement monitoring before attackers find the gaps.

Cybersecurity Services →Windows Server Management →

📍 Riyadh · 🌍 Remote worldwide · ⏰ 24h response · 🔒 NCA ECC-2 aligned · 📋 Written SLA

Mohammad Irfan Aslam

Mohammad Irfan Aslam (also known as Muhammad Irfan Aslam or Rana Irfan) is an IT infrastructure specialist, DevOps engineer, and technology consultant based in Riyadh, Saudi Arabia. With over 6 years of hands-on experience in Linux system administration, VMware virtualization, Docker, cloud platforms (AWS, Azure, GCP), CI/CD pipelines, and enterprise networking, Irfan founded visittome.com to deliver professional IT services to businesses across Saudi Arabia and the GCC region. He is the author of in-depth technical guides on cybersecurity, Linux, cloud infrastructure, and enterprise IT published on this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *

Saudi Arabia’s IT intelligence hub — cybersecurity, cloud, infrastructure & digital transformation for Vision 2030 businesses.

Riyadh, Kingdom of Saudi Arabia
Lahore, Pakistan (Dev Office)
Sun–Thu  9:00 AM – 6:00 PM AST

Why Visit To Me

Google News publisher
Riyadh-based IT experts
Vision 2030 aligned
NCA compliance coverage
Arabic & English content
Free IT Consultation →
© 2026 Visit To Me · IT HUB · Riyadh, Kingdom of Saudi Arabia · All rights reserved.
💼
Visit Pro
AI Sales Assistant · Visit To Me
Powered by Claude AI · Visit To Me