🛡️ Windows Netlogon RCE: Critical Flaw Now Actively Exploited

Critical Netlogon Vulnerability Now Under Active Attack

Belgium's Centre for Cybersecurity Belgium (CCB) issued an urgent warning on Friday: a critical Windows Netlogon remote code execution vulnerability — tracked as CVE-2026-41089 with a CVSS score of 9.8 out of 10 — is now being actively exploited in the wild. If you manage Windows servers, especially domain controllers, this is the most important security update you need to apply today.

CVE-2026-41089 is a stack-based buffer overflow in the Windows Netlogon Remote Protocol (NRPC), a core service that handles authentication between workstations and domain controllers in Active Directory environments. An attacker who successfully exploits this vulnerability can gain complete remote code execution on a domain controller without needing any credentials — no username, no password, no prior access.

The CCB warning, issued on Friday 30 May 2026, states plainly: "CVE-2026-41089 in Windows Netlogon is now actively exploited in the wild and could lead to RCE. Patch as quickly as possible." Microsoft originally patched this vulnerability during the May 2026 Patch Tuesday (12 May 2026), which fixed 120 flaws including 16 critical vulnerabilities. But with active exploitation confirmed, the timeline for patching just compressed from "next maintenance window" to "right now."

If your organisation runs Windows Server — and especially if you run domain controllers — here is everything you need to know about CVE-2026-41089, how to check if you're vulnerable, and what to do immediately.

What Is CVE-2026-41089?

CVE-2026-41089 is a stack-based buffer overflow vulnerability in the Windows Netlogon service. Netlogon (the NRPC protocol) is the authentication backbone of Active Directory — every time a user logs into a domain-joined computer, changes a password, or accesses a network resource, Netlogon handles the authentication handshake between the workstation and the domain controller.

Microsoft's advisory describes the flaw succinctly: "An attacker could send a specially crafted network request to a Windows server that is acting as a domain controller. If successful, this could cause the Netlogon service to improperly handle the request, potentially allowing the attacker to run code on the affected system without needing to sign in or have prior access."

Key details: - CVE ID: CVE-2026-41089 - CVSS Score: 9.8 (Critical) - Attack Vector: Network — no authentication required - Complexity: Low - Impact: Complete system compromise — RCE on domain controller - Affected: All supported Windows Server versions including Windows Server 2025 - Discovered by: Microsoft's Windows Attack Research & Protection (WARP) team - Patched: 12 May 2026 (May Patch Tuesday)

This is a pre-authentication vulnerability. The attacker does not need to be logged in, does not need valid credentials, and does not need any special network position beyond basic network access to the domain controller. In Active Directory environments, domain controllers are the crown jewels — they authenticate every user and computer, store the password hashes for every account in the domain, and control group policies that define security settings across the entire organisation. A compromised domain controller means a compromised network.

Why This Is Different from the 2020 Netlogon Flaw (CVE-2020-1472)

Security professionals with long memories will recall CVE-2020-1472 (aka Zerologon), a critical Netlogon privilege escalation vulnerability that also scored CVSS 10.0 and was actively exploited by threat actors including ransomware groups. CVE-2026-41089 differs in one critical way: this is remote code execution, not privilege escalation.

Zerologon allowed an attacker who already had network access to a domain controller to elevate privileges to domain administrator. CVE-2026-41089 goes further — it allows an attacker to execute arbitrary code on the domain controller remotely, without any authentication at all. The attacker can install programs, view, change, or delete data, or create new accounts with full user rights.

The discovery of this vulnerability by Microsoft's own WARP team suggests it was found through internal security research rather than external disclosure, which means Microsoft had advance warning. But the timeline from patch to active exploitation is troubling — just 19 days from Patch Tuesday (12 May) to confirmed in-the-wild exploitation (30 May).

Who Is at Risk?

Any organisation running Windows Server with Active Directory is potentially vulnerable. This includes:

• Enterprise networks — Large organisations with on-premises Active Directory
• Financial institutions — Banks, credit unions, insurance companies that use Windows domain controllers for authentication
• Healthcare organisations — Hospitals and clinics running Windows Server infrastructure
• Government agencies — Federal, state, and local government networks
• Small and medium businesses — Even a single-server SMB domain is at risk if it's a domain controller
• Managed service providers — MSPs running domain controllers that manage multiple client environments are especially high-value targets

The CCB explicitly warned that the vulnerability is being exploited in the wild, meaning real attackers are actively scanning for and compromising unpatched domain controllers. Given a CVSS of 9.8 and the availability of a patch since 12 May, it is almost certain that automated scanning tools and ransomware groups are now targeting this vulnerability as part of their initial access operations.

How to Check If Your Systems Are Vulnerable

Step 1: Check your Windows Server version If you are running any supported version of Windows Server — 2019, 2022, or 2025 — and you have not installed the May 2026 security update (KB5089549), your domain controllers are vulnerable.

Step 2: Verify the patch is installed Run this PowerShell command on each domain controller:

Get-HotFix -Id KB5089549

If the command returns no results, the patch is not installed.

Step 3: Check for signs of compromise Even if you patch now, an attacker may have already exploited the vulnerability. Look for: - Unusual accounts created in Active Directory - Unexpected scheduled tasks on domain controllers - New service accounts or service principal names - Unusual network connections from domain controllers to external IPs - Event ID 4625 (failed logon) spikes from unexpected sources

Immediate Mitigation Steps

1. Patch Immediately

Apply the May 2026 security update (KB5089549) to ALL domain controllers. This is a critical severity update and should be treated as an emergency change. If you cannot patch immediately, isolate domain controllers from untrusted network access.

2. Monitor for Active Exploitation

Enable logging on domain controllers and monitor for: - Event ID 5805 — Netlogon service failures - Event ID 5722 — Netlogon authentication failures - Unusual RPC traffic to domain controllers on port 445

3. Review Domain Controller Network Segmentation

Domain controllers should never be directly accessible from the internet. Review firewall rules to ensure that: - Port 445 (SMB) is not exposed externally - Port 135 (RPC) is not exposed externally - Domain controllers are on a separate management VLAN - Remote access to domain controllers requires VPN + MFA Get PureVPN — Privacy & Security Online

4. Enable MFA for Administrative Access

Even with patched domain controllers, any admin account with domain privileges is a target. Enforce hardware-backed MFA for all administrative access to domain controllers and other critical infrastructure.

5. Review Your Password Policy

A compromised domain controller exposes every password hash in Active Directory. This is why strong, unique passwords for every account are essential — and why organisations should use a password manager like Keeper Business to enforce password policies across the enterprise. 🎓 Save 50% Off

What This Means for Your Security Strategy

The CVE-2026-41089 exploitation confirms a worrying trend: the window between patch availability and active exploitation is shrinking. In 2024, the average patch-to-exploit time was 15 days according to the Verizon Data Breach Investigations Report. CVE-2026-41089 was exploited in 19 days — close to the average, but the damage potential is far higher because it targets the authentication backbone of Windows networks.

For security teams, this reinforces several critical practices:

1. Patch management velocity matters. The days of "patch within 30 days" are over. Critical-severity CVSS 9+ vulnerabilities should be patched within 48 hours, especially when they affect internet-facing or authentication infrastructure.

2. Defender-in-depth is non-negotiable. A single vulnerability should not be able to compromise your entire network. Network segmentation, least-privilege access, and monitoring are your safety nets when patching is delayed.

3. Password security is the last line of defence. If an attacker compromises a domain controller, they have every password hash. Strong, unique passwords — generated by tools like the TitanPasswords password generator — are the difference between a data breach and a contained incident.

4. Authentication infrastructure is the new perimeter. As more organisations move to cloud identity providers, the on-premises domain controller remains the most critical piece of authentication infrastructure. It needs the same level of protection as your cloud identity provider — vulnerability scanning, penetration testing, and real-time monitoring.

Protecting Your Credentials After a Domain Controller Compromise

If your domain controller is compromised, every password hash stored in Active Directory is exposed. This is devastating because:

• Password hashes can be cracked offline — Given enough time, attackers can crack weak and moderate-strength passwords
• Pass-the-hash attacks — Even without cracking, attackers can use captured NTLM hashes to authenticate to other systems
• Golden ticket attacks — With domain admin access, attackers can forge Kerberos tickets and maintain persistence indefinitely

The best defence is prevention: ensure every account in your organisation uses a strong, unique password that cannot be cracked if the hash is stolen. Enterprise password managers like Dashlane Business enforce 30+ character randomised passwords that are computationally infeasible to crack, even with months of offline GPU time.

For personal accounts at risk from the same breach dynamic, use our TitanPasswords password generator to create strong, unique passwords for every service you use. Never reuse passwords across accounts — credential stuffing attacks rely entirely on password reuse to turn a minor breach into a major account takeover.

This article contains affiliate links. If you purchase through these links, we may earn a commission at no extra cost to you. We only recommend products and services we have verified and tested.

FAQs

What is CVE-2026-41089?

CVE-2026-41089 is a critical stack-based buffer overflow vulnerability in the Windows Netlogon Remote Protocol (NRPC) that allows unauthenticated remote code execution on domain controllers. It carries a CVSS score of 9.8 out of 10.

Is CVE-2026-41089 being actively exploited?

Yes. Belgium's Centre for Cybersecurity Belgium (CCB) confirmed on 30 May 2026 that the vulnerability is being actively exploited in the wild. Microsoft's own advisory has not yet been updated to reflect active exploitation.

What Windows Server versions are affected?

All currently supported Windows Server versions are affected, including Windows Server 2019, Windows Server 2022, and Windows Server 2025.

How was CVE-2026-41089 discovered?

The vulnerability was discovered by Microsoft's Windows Attack Research & Protection (WARP) team, an internal offensive cybersecurity and engineering research group at Microsoft.

How is this different from Zerologon (CVE-2020-1472)?

Zerologon was a privilege escalation vulnerability that required network access to the domain controller. CVE-2026-41089 is a remote code execution vulnerability that requires no authentication at all, making it more severe and easier to exploit.

How quickly should I patch?

Immediately. The CCB warns that active exploitation is underway. If you cannot patch immediately, isolate domain controllers from all untrusted network access as a compensating control.

Related Articles