Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: netlogon (2 articles)Clear

Critical Windows Netlogon RCE CVE-2026-41089 now exploited - unauthenticated code execution on domain controllers, all Server versions, CCB Belgium warns

The Centre for Cybersecurity Belgium (CCB) has warned that threat actors are now exploiting CVE-2026-41089, a critical Windows Netlogon vulnerability that Microsoft patched during the May 2026 Patch Tuesday. Netlogon is a core Windows Server RPC service that authenticates users and services on domain-based networks. The flaw is a stack-based buffer overflow that lets an unauthenticated attacker send a specially crafted network request to a domain controller and gain remote code execution without signing in or any prior access. It impacts all currently supported Windows Server versions, including the latest release. Because domain controllers are high-value targets, successful exploitation can lead to full domain compromise.

Check
Inventory all domain controllers and confirm the May 2026 Patch Tuesday update (CVE-2026-41089) is applied. Review Netlogon RPC traffic and DC event logs for anomalous unauthenticated requests.
Affected
All currently supported Windows Server versions acting as domain controllers, unpatched against the May 2026 fix. Unauthenticated attackers can gain RCE on a DC, enabling full domain compromise.
Fix
Apply the May 2026 Patch Tuesday update to every domain controller immediately. Restrict Netlogon RPC exposure to trusted networks. Monitor for post-exploitation lateral movement from DCs.

Microsoft's May 2026 Patch Tuesday fixes 120 flaws and no zero-days for the first time since June 2024 - but a Word preview-pane bug and DNS Client RCE stand out as the priorities

Microsoft fixed 120 vulnerabilities on Tuesday - 17 Critical, no zero-days for the first time since June 2024. Two Word RCEs (CVE-2026-40361 and CVE-2026-40364) trigger just by viewing a malicious document in Outlook's Preview Pane and are rated 'Exploitation More Likely.' Windows DNS Client (CVE-2026-41096) lets an attacker-controlled DNS server execute code on any Windows machine resolving a hostile name - echoing SigRed. Other priorities: Netlogon RCE (CVE-2026-41089) and Microsoft SSO Plugin for Jira and Confluence (CVE-2026-41103, CVSS 9.1).

Check
Check Windows patch status for the May 2026 cumulative update. Confirm whether Outlook's Word Preview Pane is enabled - that's the exposure path for CVE-2026-40361 and 40364.
Affected
Unpatched Windows clients and servers. Priority targets: Outlook/Word (Preview Pane RCEs CVE-2026-40361/40364), domain controllers (Netlogon CVE-2026-41089), DNS-facing servers (CVE-2026-41096).
Fix
Deploy May 2026 cumulative updates fleet-wide. Prioritize DCs (Netlogon), DNS servers, and Outlook hosts. Disable Word Preview Pane as a compensating control until patched.