Hackers Are Actively Exploiting a CVSS 9.8 Windows Netlogon Bug. If You Run Domain Controllers, Patch Right Now.

A flaw Microsoft rated "less likely to be exploited" is now being used in real attacks. Your domain controllers are the target, and the blast radius is your entire Active Directory forest.

What Happened

On Friday, May 29, 2026, the Centre for Cybersecurity Belgium (CCB), the Belgian federal cybersecurity authority, warned that CVE-2026-41089, a critical stack-based buffer overflow in the Windows Netlogon service, is now being actively exploited in the wild against unpatched systems.

Tracked with a CVSS score of 9.8, the flaw was publicly disclosed on May 12, when Microsoft patched it alongside 136 other bugs as part of its Patch Tuesday release. Microsoft credited the discovery to its own Windows Attack Research and Protection (WARP) team and, at disclosure, assessed exploitation as "less likely." That assessment has aged badly. Help Net Security, BleepingComputer, and SecurityWeek confirmed CCB's warning in coverage published on June 1, 2026.

That gap between official assessment and real-world threat reports is exactly what is catching enterprise security teams off guard. The CCB advisory came 17 days after the patch dropped, well within the window that many enterprise patch cycles operate. Organizations that treat Patch Tuesday updates as a 30-day rollout schedule rather than an immediate priority are currently exposed.

Why This One Is Different

Not all critical CVEs are created equal. This one sits at the worst possible location in a Windows environment: the domain controller.

CVE-2026-41089 is a stack-based buffer overflow in Windows Netlogon, the service and protocol that handles authentication and security within a Windows domain. The flaw can be triggered by sending a specially crafted network request to a server acting as a domain controller, potentially allowing remote code execution.

The barrier to entry is nearly nothing. Exploitation requires no prior privileges and no user interaction, and it can be launched remotely. An attacker with network reach to a domain controller port can launch this. No password. No foothold. No phishing required.

Successful exploitation gives an attacker SYSTEM-level code execution on the domain controller itself, which means full control of the Active Directory domain, the ability to create privileged accounts, and lateral movement across every system that authenticates against that controller.

As one security expert noted, "inside an already-compromised perimeter, CVE-2026-41089 becomes a fast path to forest-wide takeover."

This is not a server-level incident. It is a business-level incident. Every workstation, every application, and every user account in your Windows domain is potentially reachable once a domain controller falls.

The Zerologon Pattern Is Repeating

The Netlogon flaw class is not a stranger to defenders. Zerologon (CVE-2020-1472) in 2020 and the PetitPotam coercion chain in 2021 both turned Netlogon mechanics into routes to full domain takeover, and both still sit on threat-hunting checklists for any post-incident Active Directory review.

In 2020, CVE-2020-1472 exploited a cryptographic weakness in Netlogon's authentication to allow attackers to reset domain controller machine account passwords and seize full domain control. Ransomware operators and nation-state actors weaponized Zerologon within days of public disclosure.

The script is running again. AI-enabled adversaries are shrinking the gap between a CVE's public disclosure and the first observed exploitation. That 17-day window from patch to active exploitation is not an anomaly in 2026, it is the new norm.

Jack Bicer, director of vulnerability research at Action1, flagged the threat clearly at patch time: "This CVE requires immediate attention. Successful attacks may lead to widespread endpoint compromise, ransomware deployment, credential harvesting, and operational disruption across corporate networks."

Who Is Affected

Patches are available for all versions of Windows Server from 2012 onwards. If your organization runs Active Directory on any supported Windows Server version and has not yet applied the May 12, 2026, cumulative update, you are currently exposed to an actively exploited CVSS 9.8 vulnerability.

Acros Security has also released micropatches for legacy versions including Windows Server 2008 R2, 2012, and 2012 R2, covering organizations that may still be running end-of-life infrastructure.

CCB has not publicly shared technical details of the in-the-wild activity, including no victim count, no attacker attribution, and no indicators of compromise. Microsoft's MSRC advisory had not been updated to reflect active-exploitation status as of this writing. That absence of public indicators makes behavioral monitoring more important, not less.

What Your IT Team Should Do Right Now

Here is a practical, prioritized action list for any business running Windows domain environments:

1. Patch every domain controller immediately. Microsoft issued security patches for CVE-2026-41089 across multiple Windows Server versions in May's Patch Tuesday release. Automox CTO Jason Kikta advised admins to patch the flaw on all domain controllers in the same maintenance window, noting that "half-patched forests are not a defensible state for a pre-auth domain controller bug." Staggered rollouts leave the domain open.

2. Restrict Netlogon traffic at the network layer. CCB urged administrators to patch immediately, restrict Netlogon traffic at the network layer, and review domain controller exposure. Domain controllers should never be reachable directly from the internet or from untrusted network segments.

3. Monitor for exploitation indicators. Events that may point to active exploitation include:

• The Netlogon service unexpectedly crashing or restarting
• Anomalous Netlogon traffic from non-domain-controller source addresses
• Authentication failures or domain trust errors immediately following suspicious network activity on a domain controller

4. Cover legacy systems. If you are running Windows Server 2008 R2 or 2012 without extended support, apply Acros Security's micropatches immediately while you plan your upgrade path.

5. Audit domain controller internet exposure. Run a scan of your perimeter. Any domain controller with Netlogon ports reachable from outside your trusted network is a critical exposure that needs to be closed today, independent of patching status.

6. Prepare for the next Patch Tuesday. Microsoft's June 2026 Patch Tuesday is scheduled for June 9, 2026. If you cannot complete full May patch deployment before then, prioritize CVE-2026-41089 above all other outstanding patches and treat June 9 as a hard deadline for the rest.

The Bottom Line

A CVSS 9.8 unauthenticated remote code execution flaw in Windows Netlogon is being exploited right now. The patch has been available since May 12. There is no technical reason to wait. Every day an unpatched domain controller stays online is a day attackers can take ownership of your entire Windows environment and, from there, deploy ransomware, harvest credentials, or move laterally without restriction.

This is one of the clearest patch-now situations of 2026. Treat it that way.

How 247techify can help

At 247techify, we help businesses stay ahead of exactly this kind of threat, from rapid patch deployment and domain controller hardening to ongoing vulnerability monitoring across your Windows environment. If you are unsure whether your domain controllers are patched and properly isolated, our team can assess your exposure and get you covered fast. Reach out to us at 247techify.com and let's make sure your business is not the next headline.