Windows Netlogon RCE exploited, domain controllers at risk (CVE-2026-41089)

CVE-2026-41089, a critical Windows Netlogon RCE flaw that allows remote code execution, is now actively exploited in the wild, the Centre for Cybersecurity Belgium (CCB) warned on Friday.

About CVE-2026-41089

CVE-2026-41089 is a stack-based buffer overflow vulnerability in Windows Netlogon, the service and protocol that handles authentication and security within a Windows domain environment.

The flaw can be exploited by attackers by sending a specially crafted network request to a Windows server that is acting as a domain controller, and may allow them to execute code over a network.

The company disclosed the vulnerability on May 12, 2026, and credited its Windows Attack Research & Protection (WARP) team with reporting it.

At the time, Microsoft deemed the flaw to be “less likely” to be exploited, but AI-enabled adversaries are shrinking the gap between a CVE’s public disclosure and the first observed exploitation by threat actors.

Security researchers and AI companies are, likewise, reverse-engineering patches and publicly sharing their root cause analyses and proof-of-concept exploits.

Unfortunately, CCB has yet to publicly share details about the attacks in progress.
We’ve reached out to CCB with questions about the in-the-wild exploitation and will update this article when we hear back from them.

What to do?

Microsoft issued security patches for CVE-2026-41089 across multiple Windows Server versions in last week’s Patch Tuesday release.

At the time, Jason Kikta, CTO at Automox, advised admins to patch the flaw on all domain controllers in the same maintenance window, while noting that “half-patched forests are not a defensible state for a pre-auth [Domain Controller] bug.”

He also advised security teams to restrict Netlogon traffic at the network layer and review their DC exposure.

“Inside an already-compromised perimeter, CVE-2026-41089 becomes a fast path to forest-wide takeover,” he noted, and outlined events that might point to active exploitation:

• The Netlogon service unexpectedly crashing or restarting
• Anomalous Netlogon traffic patterns from non-DC source addresses
• Authentication failures or domain trust errors immediately after suspicious network activity hits a domain controller.

Acros Security has released micropatches for CVE-2026-41089 for legacy Windows Server versions: Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!