A critical Windows Netlogon vulnerability patched during Microsoft’s May 2026 Patch Tuesday is now being actively exploited in the wild, Belgium’s Centre for Cybersecurity (CCB) warned on Friday. The flaw, tracked as CVE-2026-41089 with a CVSS score of 9.8, allows unauthenticated attackers to execute arbitrary code on Windows domain controllers with SYSTEM-level privileges — no credentials, no user interaction, no local access required.
What Is the Vulnerability?
CVE-2026-41089 is a stack-based buffer overflow in the Windows Netlogon service — the core component responsible for authenticating users and machines in Windows Active Directory domain environments. The vulnerability affects Windows Server 2012 through Windows Server 2025 configured as domain controllers.
An attacker exploits the flaw by sending a specially crafted network request to the Netlogon service on a domain controller. The service improperly processes the request, triggering the buffer overflow and enabling arbitrary code execution under SYSTEM privileges. Microsoft’s own Windows Attack Research and Protection (WARP) team identified and reported the vulnerability, which was disclosed on May 12, 2026.
Why This Is Particularly Dangerous
Three factors combine to make CVE-2026-41089 exceptionally high-risk:
Zero-Click — No Authentication Required
The attacker needs only network access to a domain controller’s Netlogon service. No valid credentials, no phishing prerequisite, no local foothold required before exploitation. Any machine on the network — or any attacker who has gained network access — can trigger the exploit directly.
SYSTEM-Level Execution on a Domain Controller
A domain controller is the highest-value target in most Windows enterprise environments. It controls Active Directory — the authoritative source for user identities, access rights, group policies, and machine accounts across the entire domain. SYSTEM-level code execution on a domain controller means an attacker can create or modify any account, reset any password, disable any security control, and pivot to any machine in the domain. This is total domain compromise in a single exploit chain.
Worm-Like Propagation Potential
Because exploitation requires only network access and no user interaction, the vulnerability is ideal for automated exploitation at scale. Security researchers note the profile is similar to historical Netlogon vulnerability Zerologon (CVE-2020-1472), which moved from advisory to weaponised exploit in under two weeks. Zerologon was used in ransomware campaigns that caused widespread enterprise damage.
Active Exploitation — Current Status
The Centre for Cybersecurity Belgium (CCB) issued a public warning on May 30, 2026, confirming active exploitation in the wild. CISA has added CVE-2026-41089 to its Known Exploited Vulnerabilities catalogue with a mandatory patch deadline for federal agencies. Microsoft assessed the vulnerability as “Less Likely” to be exploited at the time of disclosure — that assessment has now been overtaken by events.
Detection Signals
Security teams should monitor for these indicators of potential CVE-2026-41089 exploitation:
- Netlogon service unexpectedly crashing or restarting on domain controllers
- Anomalous Netlogon traffic patterns originating from non-domain-controller source addresses
- Authentication failures or domain trust errors immediately following suspicious network activity against a domain controller
- Unexpected new administrator accounts appearing in Active Directory
- Unusual SYSTEM process behaviour on domain controllers following network-level events
Remediation
Primary fix: Apply the May 2026 Patch Tuesday security updates. Microsoft has released patches for all supported Windows Server versions from 2012 onward.
For unsupported systems: Acros Security has released micropatches for legacy Windows Server versions that Microsoft no longer supports with official patches.
Network controls: Ensure domain controllers are not directly internet-exposed. Restrict which systems and services can communicate with the Netlogon service over the relevant ports. Network segmentation around domain controllers is essential defence-in-depth even after patching.
Broader May 2026 Patch Tuesday Context
Microsoft addressed 118–138 CVEs in its May 2026 Patch Tuesday release, including 16 rated critical. Other significant vulnerabilities include CVE-2026-41096 (CVSS 9.8) — a heap-based buffer overflow in Windows DNS Client — and CVE-2026-35428, a command injection flaw in Azure Cloud Shell. The Netlogon RCE is the most immediately dangerous due to its active exploitation status and domain compromise potential.
Leave a Reply