Skip to content
hacker_posts

Windows Netlogon RCE CVE-2026-41089 now exploited in the wild

Belgium's CCB confirms active exploitation of the CVSS 9.8 Netlogon stack-overflow patched by Microsoft in May. Unauthenticated, no user interaction, domain controller takeover.

Published 4 min read
cvemicrosoftwindows-servernetlogondomain-controller

CVE-2026-41089, a stack-based buffer overflow in Windows Netlogon, is being exploited in the wild against domain controllers. The flaw was patched in Microsoft's May 2026 Patch Tuesday on 12 May. The Centre for Cybersecurity Belgium (CCB) advisory was updated on 29 May to flag in-the-wild abuse — the first public confirmation from a national CSIRT. Follow-on reporting at Help Net Security, BleepingComputer and SecurityWeek corroborates the timeline. No vendor has attributed the activity to a named group, and as of this post, the CVE is not yet listed in the CISA Known Exploited Vulnerabilities catalog.

What the bug is

CVE-2026-41089 is a stack-based buffer overflow in the Netlogon RPC service running on a Windows server configured as a domain controller. CVSS 3.1 base score 9.8 — network attack vector, no privileges required, no user interaction, complete compromise of confidentiality, integrity and availability of the targeted DC. A specially crafted Netlogon request triggers the overflow and lets the attacker run code as SYSTEM on the domain controller.

Reaching the Netlogon service from a foothold inside a domain is trivial; reaching it from the public internet is the much narrower scenario, but any compromised endpoint with line-of-sight to a DC is a launchpad.

Affected versions

Per Microsoft's advisory, every currently supported Windows Server SKU running the Netlogon service in domain-controller mode is in scope:

  • Windows Server 2025
  • Windows Server 2022 (and 2022 23H2)
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2 (ESU)
  • Windows Server 2012 (ESU)
  • Windows Server 2008 R2 SP1 / 2008 SP2 (ESU)

The bug ships in the Netlogon code path itself, not a single SKU. If a server runs Netlogon and holds the DC role, assume it is exposed until patched.

Exploitation status

  • 29 May 2026 — CCB Belgium advisory updated: "actively exploited in the wild." This is the primary source for the in-the-wild claim. No public PoC has been linked to the active campaigns, and no vendor has named an actor.
  • 1 June 2026 — secondary outlets (Help Net Security, BleepingComputer, SecurityWeek, Cybersecurity News) carry the CCB update.
  • Microsoft's advisory continues to list exploitability as confirmed; the CVE is not yet in CISA KEV.

If a fresh KEV add lands after this post, the binding remediation deadline for federal civilian agencies starts from that date — not from Microsoft's May disclosure.

Action checklist

  1. Patch every domain controller now. The fix is in the May 2026 cumulative update for every supported Windows Server SKU. If you sat out May Patch Tuesday on your DCs because the rollup looked routine, this is the CVE that forces the schedule.
  2. Prioritise internet-reachable DCs and DCs in trust relationships with merger/acquisition partners. Pre-auth code execution on a DC collapses straight into domain-wide compromise via DCSync or Golden Ticket; a single unpatched DC in a forest with two-way trust drags the whole graph.
  3. Hunt for post-exploitation signs from 12 May forward. Look for: unscheduled lsass.exe process creation off Netlogon-related callers, new krbtgt password resets you didn't perform, anomalous DRSGetNCChanges (DCSync) calls from non-DC sources, and new privileged accounts created on or after the May update. Microsoft has not published vendor-blessed IOCs for this CVE; treat the search as behavioural until they do.
  4. Restrict Netlogon RPC exposure. The Netlogon RPC endpoint should not be reachable from arbitrary client networks. Audit your DC firewall and segmentation policy — RPC dynamic ports plus 445 from a flat user VLAN to a DC is the architecture this exploit feeds on.
  5. If you cannot patch a DC today, take it offline. There is no documented workaround. A DC that cannot be patched in the next 24 hours is a DC that should not be online.

Context

Netlogon has a recent history of catastrophic remote bugs. Zerologon (CVE-2020-1472), the 2020 Netlogon elevation-of-privilege flaw that let an attacker reset the domain controller's machine account password with a flood of zero-filled authentication requests, is still actively scanned for in 2026. The architectural premise that broke Zerologon — Netlogon as a default-on, network-reachable, RPC-exposed, deeply-privileged service running on every DC — is the same premise that CVE-2026-41089 abuses, in a different code path with a different bug class.

This is also the third critical CVSS-9+ Windows DC bug Microsoft has patched in twelve months where the in-the-wild signal arrived from a European CSIRT before US authorities adopted it. The CCB Belgium playbook of updating an existing Patch Tuesday advisory rather than issuing a new alert means the change is easy to miss if you subscribe only to the initial advisory feed. Re-pull updated advisories, not just new ones.

Related stories