Windows Netlogon RCE flaw actively exploited, targeting domain controllers
▼ Summary
– CVE-2026-41089 is a critical stack-based buffer overflow in Windows Netlogon that allows remote code execution and is now actively exploited.
– The flaw lets attackers send a crafted network request to a domain controller to execute code over the network.
– Microsoft disclosed the vulnerability on May 12, 2026, initially deeming it “less likely” to be exploited, but AI-enabled adversaries have shortened the disclosure-to-exploitation gap.
– Microsoft issued patches in the latest Patch Tuesday release, and admins are advised to patch all domain controllers together and restrict Netlogon traffic.
– Acros Security released micropatches for the flaw on legacy Windows Server versions (2008 R2, 2012, and 2012 R2).
A critical remote code execution vulnerability in Windows Netlogon, tracked as CVE-2026-41089, is now being actively exploited in real-world attacks, according to a warning issued Friday by the Centre for Cybersecurity Belgium (CCB). The flaw specifically targets domain controllers, making it a high-priority threat for enterprise networks.
The vulnerability itself is a stack-based buffer overflow within the Netlogon service, which is responsible for authentication and security in Windows domain environments. Attackers can exploit it by sending a carefully crafted network request to a Windows server functioning as a domain controller, potentially allowing them to execute arbitrary code remotely.
Microsoft first disclosed the flaw on May 12, 2026, crediting its internal Windows Attack Research & Protection (WARP) team for reporting it. Initially, the company rated the likelihood of exploitation as “less likely.” However, the rapid evolution of AI-powered adversaries is collapsing the window between public disclosure and active exploitation. Security researchers and AI firms are now reverse-engineering patches and sharing root cause analyses and proof-of-concept code at an accelerated pace.
The CCB has not yet released specific details about the ongoing attacks, leaving administrators to act on general guidance. We have reached out to the CCB for more information and will update this article as new details emerge.
Immediate actions are critical. Microsoft included patches for CVE-2026-41089 in its most recent Patch Tuesday release, covering multiple Windows Server versions. Jason Kikta, CTO at Automox, strongly urged administrators to apply the patch to all domain controllers within the same maintenance window. He warned that “half-patched forests are not a defensible state for a pre-auth Domain Controller bug.”
Beyond patching, Kikta advised security teams to restrict Netlogon traffic at the network layer and audit domain controller exposure. He described the flaw as a “fast path to forest-wide takeover” once an attacker has breached the perimeter. Key signs of active exploitation include:
- The Netlogon service unexpectedly crashing or restartingFor organizations running legacy systems, Acros Security has released micropatches for CVE-2026-41089 covering Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.Stay informed by subscribing to our breaking news email alerts for the latest on breaches, vulnerabilities, and cybersecurity threats.
