Skip to content

CVE-2026-41089: Attackers Actively Exploiting Netlogon Vulnerability on Domain Controllers

The bottom line: A stack-based buffer vulnerability in Windows Netlogon is being actively exploited in the wild to compromise domain controllers – patches from May 12, 2026 are required.

Belgium’s cybersecurity centre (CCB) confirms active attacks against the critical Windows Netlogon vulnerability CVE-2026-41089 (CVSS 9.8). Attackers can thereby execute malicious code with system privileges on domain controllers.

The Center for Cybersecurity Belgium (CCB) has issued an urgent security warning: The vulnerability CVE-2026-41089 in the Windows Netlogon subsystem is being actively exploited by threat actors. Microsoft closed it on May 12, 2026 along with 135 other security updates and classified it with the maximum CVSS score of 9.8. The special aspect: While Microsoft initially assumed a low probability of exploitation, Belgian security authorities now confirm real attacks in the wild.

Technically, this is a stack-based buffer overflow in the Netlogon service – the central process for secure channels between clients and domain controllers. An unauthenticated attacker sends a crafted RPC network packet to a vulnerable controller. Since the service insufficiently validates the input, the attacker can overwrite return addresses on the stack and inject malicious code. Critical: The Netlogon service runs with system privileges – the attacker thus gains full administrative control over the domain controller directly without authentication.

There are currently differing assessments between authorities and Microsoft. The Belgian CCB warns of active exploitation with malware execution. Microsoft states that it has no verified telemetry data on ongoing compromises and has not updated the security bulletin – but nonetheless strongly recommends patching. Security researchers point out that the rapid availability of reverse-engineering tools and AI support has drastically shortened the timespan between patch release and functioning exploits.

For CISOs, immediate action is required: Deploying the updates is necessary, but insufficient. A compromise of the domain controllers – the central trust foundation of every Active Directory environment – leads to the collapse of the entire identity and access infrastructure. Organizations should in parallel implement additional hardening measures to reduce the attack surface and hinder lateral movement.


Source: www.it-daily.net · Published June 4, 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification through Lumi News Pipeline v1.2.9.

Share on: