Belgium's CCB confirmed on June 1, 2026 that attackers are actively exploiting CVE-2026-41089, a critical unauthenticated RCE in Windows Netlogon. Every unpatched domain controller is a live target.
If your organization runs Windows Server and has not applied Microsoft's May 2026 Patch Tuesday updates, stop reading and start patching. CVE-2026-41089 is being exploited right now, and a single successful hit hands attackers complete control of your Active Directory environment.
What Happened
On Friday, June 1, 2026, Belgium's Centre for Cybersecurity (CCB), the country's national cybersecurity authority, issued a public warning that threat actors are actively exploiting CVE-2026-41089, a recently patched critical vulnerability in Windows Netlogon.
The flaw is a stack-based buffer overflow carrying a CVSS score of 9.8. It allows unauthenticated attackers to execute arbitrary code at SYSTEM level on any domain controller running Windows Server 2012 R2 through 2025. No credentials, no local access, and no user interaction are required.
The timeline is uncomfortable. When Microsoft released its May 2026 Patch Tuesday updates on May 12, CVE-2026-41089 was near the top of the bulletin. Microsoft's own exploitability assessment rated it "Less Likely." Belgium's CCB disagreed, posting a standalone alert 20 days later confirming active exploitation in the wild. Organizations that read "less likely" and deprioritized the patch were caught out. The gap between disclosure and active exploitation was just 20 days.
Why This Is Especially Dangerous
Netlogon is a core Windows Server service and remote procedure call interface that authenticates users and services across domain-based networks. That central role is exactly what makes this flaw so severe.
To exploit CVE-2026-41089, an attacker needs only network access to a vulnerable domain controller's Netlogon service. A specially crafted Netlogon request triggers improper handling in the service, leading to code execution under SYSTEM privileges. No authentication is required, making this an ideal candidate for automated exploitation, rapid lateral movement, and full domain compromise.
Successful exploitation grants code execution inside the LSASS context of a domain controller, which is functionally equivalent to a full Active Directory forest compromise. From there, attackers can deploy malware, create or modify accounts, disable security controls, and pivot freely across critical systems.
For historical context: in 2020, CVE-2020-1472 (ZeroLogon) exploited a cryptographic weakness in Netlogon's authentication to allow attackers to reset domain controller machine account passwords and seize full domain control. Ransomware operators and nation-state actors weaponized ZeroLogon within days of disclosure. CVE-2026-41089 is worse. It is not an authentication bypass; it is unauthenticated code execution inside the process that signs Kerberos tickets and holds the krbtgt secret.
Proof-of-concept exploit code has also been shared publicly by security researchers, lowering the bar considerably for less sophisticated attackers.
Who Is Affected
Every supported Windows Server release is in scope: Windows Server 2012, 2016, 2019, 2022, and 2025. If your organization runs Active Directory, you have domain controllers, and they are targets. The CCB alert confirms that unpatched systems remain widespread and under active attack.
What Your IT Team Must Do Right Now
This is not a wait-and-see situation. Work through this priority list immediately.
1. Patch all domain controllers at the same time. The fix is in the May 12, 2026 cumulative updates, covering all supported Windows Server versions. Patch every domain controller in a single coordinated maintenance window, not one at a time over several weeks. As Automox CTO Jason Kikta put it, "half-patched forests are not a defensible state for a pre-auth DC bug." One unpatched DC in a multi-DC forest is enough for an attacker to compromise the whole environment.
2. Restrict Netlogon RPC traffic at the network layer. Domain controllers generally do not need to accept Netlogon RPC traffic from user subnets or wireless networks. Segment them. This does not replace patching, but it reduces exposure while you complete the rollout.
3. Increase monitoring on domain controllers immediately. Look for anomalous authentication behavior, unusual domain controller traffic, new or modified privileged accounts, and unexplained Netlogon service crashes or restarts. Early detection is critical, given that active exploitation is already confirmed.
4. Review signs of prior compromise. If you have been running unpatched domain controllers for any period since May 12, treat them as potentially compromised. Audit recent administrative account activity, Kerberos ticket anomalies, and any signs of privilege escalation tied to Netlogon events.
5. Enforce MFA on all privileged admin sessions. Even after patching, tighten administrative access controls. If an attacker has already established a foothold through another vector, this vulnerability hands them the keys to everything. Layered controls remain essential.
The Bigger Lesson
Microsoft's initial "exploitation less likely" label caused many teams to deprioritize this patch. That label reflects what researchers know at disclosure time. Attackers often know more, and AI-enabled adversaries are shrinking the gap between public disclosure and first observed exploitation to days or weeks. A CVSS 9.8, zero-interaction, unauthenticated RCE on the most critical server in any Windows environment should trigger emergency patching regardless of the vendor's initial estimate.
The CCB's decision to issue a standalone urgent alert reflects exactly that pattern. Do not wait for a second warning.
How 247techify Can Help
At 247techify, we help businesses stay ahead of situations like this one: identifying unpatched systems, applying emergency fixes, and putting the right monitoring and network segmentation in place before attackers find the gap. If you are unsure whether your domain controllers are patched, or you want a second set of eyes on your Windows Server environment and Active Directory security posture, get in touch with our team at https://www.247techify.com/ and we will get you sorted.
