CVE-2026-41089 scores 9.8, needs zero credentials, and gives attackers full remote code execution on Windows domain controllers. Belgium's CCB confirmed active exploitation on June 1. The patch has been out since May 12.
Attackers Are Actively Exploiting a Critical Windows Netlogon Flaw: Patch Your Domain Controllers Now
CVE-2026-41089 carries a CVSS score of 9.8, requires zero credentials, and gives attackers full remote code execution on Windows domain controllers. Belgium's Centre for Cybersecurity (CCB) confirmed active exploitation on June 1, 2026. The patch has been available since May 12. If your domain controllers are not updated, stop reading and start patching.
What Happened
Microsoft patched CVE-2026-41089 on May 12, 2026, as part of its May Patch Tuesday release, alongside 136 other vulnerabilities. The flaw is a stack-based buffer overflow in the Windows Netlogon service. No login, no credentials, and no user interaction are required. An attacker sends a specially crafted network request to a domain controller, the Netlogon service mishandles it, and the attacker gets remote code execution.
Microsoft initially rated the vulnerability as "less likely" to be exploited. That assessment was wrong. By June 1, Belgium's CCB had confirmed active exploitation, citing intelligence from trusted partners. Microsoft, for its part, told BleepingComputer it had not independently confirmed the CCB's claims but recommended customers install the latest security updates immediately.
Proof-of-concept exploit code has been shared publicly by security researchers. The exploitation timeline was roughly three weeks from patch release to confirmed in-the-wild attacks. That gap is now the norm, not the exception.
Why Netlogon Is Such a High-Value Target
Netlogon is the authentication backbone of every Windows domain. It authenticates users and services across the network, and it runs on every domain controller. Compromising it is not a server-level problem. It is a domain-wide problem.
A successful exploit gives an attacker a direct path to the Active Directory database (NTDS.dit), the Kerberos KRBTGT account that signs every ticket in the forest, machine-account credentials for every joined system, and Group Policy control over every client. In practical terms, CVE-2026-41089 is a primitive for becoming Domain Admin across the entire forest.
This is not the first time Netlogon has been weaponized this way. In 2020, CVE-2020-1472, known as ZeroLogon, exploited a cryptographic flaw in Netlogon to allow attackers to reset domain controller machine account passwords and seize full domain control. Ransomware operators and nation-state actors weaponized ZeroLogon within days of public disclosure. The same playbook is in use now.
Which Systems Are Affected
Every version of Windows Server from 2012 R2 through 2025 is affected. If your organization runs Active Directory, you are in scope. There are no exceptions based on network size or industry vertical.
What You Must Do Right Now
1. Patch every domain controller immediately.
Run Get-ADDomainController -Filter * to enumerate every DC in your environment. Confirm KB5058411 (Server 2022) or KB5058385 (Server 2025) is installed on each one. Deploy the May 2026 cumulative update across all of them in the same maintenance window. Jason Kikta, CTO at Automox, put it plainly: "half-patched forests are not a defensible state for a pre-auth domain controller bug."
2. Patch carefully, not recklessly. Speed matters, but so does discipline. Rushed DC maintenance can break authentication or replication in fragile environments. Patch one DC per site first, validate reboot, service health, replication, Kerberos, LDAP, DNS registration, and authentication, then roll through the rest quickly.
3. Restrict Netlogon traffic at the network layer. Firewalls and network segmentation should limit which hosts can reach your domain controllers on Netlogon RPC ports. Only authorized source addresses should have that access.
4. Force MFA for all administrator sessions. The CCB advisory explicitly calls this out. Privileged sessions need a second factor, especially while exploitation is active.
5. Monitor for signs of exploitation. Watch for the Netlogon service crashing or restarting unexpectedly, anomalous authentication traffic, unexpected privilege escalation, and unusual Active Directory replication activity. Any of these warrants immediate investigation.
6. Do not assume patching closes the door on past attacks. Applying the patch stops future exploitation. It does not undo a compromise that already happened. If your DCs were unpatched for any portion of the window between May 12 and today, treat your domain as potentially compromised and investigate accordingly. Plan for forest-wide credential resets, KRBTGT rotation, and Tier 0 review, not just single-host remediation.
The Broader Warning for 2026
No specific threat actor group has been publicly attributed at this stage, which is consistent with early-stage exploitation where multiple actors independently reverse the security patch and build their own capabilities. What is clear is the pattern: Microsoft patches a critical vulnerability, proof-of-concept code appears within days, and active exploitation follows within two to three weeks. That cycle repeated precisely here.
The window between "patch released" and "actively exploited" is collapsing. AI-enabled adversaries are accelerating every stage of that process. Treating Patch Tuesday as a routine monthly task is no longer adequate. For pre-authentication, network-accessible vulnerabilities on infrastructure as central as Active Directory, patches need to land within days.
Every unpatched domain controller in every site is an independent entry point into the same forest. For organizations with distributed AD environments, that is not a theoretical risk. It is a real, measurable attack surface that is being targeted right now.
How 247techify Can Help
At 247techify, we work directly with businesses to identify unpatched systems, harden Active Directory environments, and build faster patch management processes so critical fixes land in hours, not weeks. If your team needs support auditing domain controllers, reviewing your Netlogon exposure, or building a response plan for CVE-2026-41089, get in touch at https://www.247techify.com/ today.
