Critical Windows Netlogon RCE CVE-2026-41089 now exploited - unauthenticated code execution on domain controllers, all Server versions, CCB Belgium warns
The Centre for Cybersecurity Belgium (CCB) has warned that threat actors are now exploiting CVE-2026-41089, a critical Windows Netlogon vulnerability that Microsoft patched during the May 2026 Patch Tuesday. Netlogon is a core Windows Server RPC service that authenticates users and services on domain-based networks. The flaw is a stack-based buffer overflow that lets an unauthenticated attacker send a specially crafted network request to a domain controller and gain remote code execution without signing in or any prior access. It impacts all currently supported Windows Server versions, including the latest release. Because domain controllers are high-value targets, successful exploitation can lead to full domain compromise.
- Check
- Inventory all domain controllers and confirm the May 2026 Patch Tuesday update (CVE-2026-41089) is applied. Review Netlogon RPC traffic and DC event logs for anomalous unauthenticated requests.
- Affected
- All currently supported Windows Server versions acting as domain controllers, unpatched against the May 2026 fix. Unauthenticated attackers can gain RCE on a DC, enabling full domain compromise.
- Fix
- Apply the May 2026 Patch Tuesday update to every domain controller immediately. Restrict Netlogon RPC exposure to trusted networks. Monitor for post-exploitation lateral movement from DCs.