Back

Active Exploitation of Critical Windows Netlogon RCE Vulnerability CVE-2026-41089

Severity: High (Score: 78.0)

Sources: Cybersecuritynews, Gbhackers, Bleepingcomputer

Published: 2026-06-01 · Updated: 2026-06-01

Keywords: windows, netlogon, critical, vulnerability, wild, microsoft, patch

Severity indicators: critical, vulnerability

Summary

The Centre for Cybersecurity Belgium (CCB) has reported that threat actors are actively exploiting a critical Windows Netlogon vulnerability, tracked as CVE-2026-41089. This flaw, patched by Microsoft during the May 2026 Patch Tuesday, allows unauthenticated attackers to execute arbitrary code on Windows domain controllers. The vulnerability is a stack-based buffer overflow affecting all supported Windows Server versions, including Windows Server 2025. Attackers can exploit this flaw by sending specially crafted network requests without requiring prior access or authentication. The CCB has urged administrators to patch their systems immediately, as the vulnerability has a CVSS score of 9.8, indicating its critical nature. Microsoft has not yet confirmed the active exploitation status, and further details on ongoing attacks remain undisclosed. This incident follows a series of zero-day vulnerabilities disclosed by the researcher known as 'Nightmare Eclipse.' Key Points: • CVE-2026-41089 allows unauthenticated remote code execution on Windows domain controllers. • The vulnerability was patched in May 2026 but is now actively exploited in the wild. • Administrators are urged to apply patches immediately due to the critical CVSS score of 9.8.

Detailed Analysis

**Impact** All currently supported Windows Server versions, including Windows Server 2025, are affected, specifically those configured as domain controllers. The vulnerability allows unauthenticated remote attackers to execute arbitrary code with SYSTEM privileges, potentially compromising entire domain-based networks. This impacts organizations globally that rely on Windows Server infrastructure for authentication and network services, risking unauthorized access, data breaches, and operational disruption. **Technical Details** CVE-2026-41089 is a stack-based buffer overflow in the Windows Netlogon RPC interface, exploited by sending specially crafted network requests to domain controllers. Attackers gain remote code execution without authentication or prior access, enabling SYSTEM-level control. The vulnerability is actively exploited in the wild, with no specific malware or toolsets disclosed in the articles. The attack occurs at the initial access and execution stages of the kill chain. No IOCs were provided. **Recommended Response** Apply the May 2026 Patch Tuesday update from Microsoft immediately to all affected Windows Server domain controllers. Prioritize patching systems exposed to untrusted networks. Monitor network traffic for unusual Netlogon RPC requests and deploy detection rules for anomalous authentication activity. In the absence of detailed IOCs, focus on rapid patch deployment and enhanced monitoring of domain controller activity.

Source articles (4)

  • Windows Netlogon 0 — Cybersecuritynews · 2026-06-01
    The critical Windows Netlogon remote code execution (RCE) vulnerability tracked as CVE-2026-41089 is now under active exploitation in the wild, significantly raising the risk profile for unpatched Win…
  • Windows Netlogon 0 — Gbhackers · 2026-06-01
    Microsoft’s May 2026 Patch Tuesday release has taken a critical turn after security researchers confirmed that a high-risk Windows Netlogon vulnerability is now being actively exploited in the wild. T…
  • Critical Windows Netlogon RCE flaw now exploited in attacks — Bleepingcomputer · 2026-06-01
    The Centre for Cybersecurity Belgium (CCB), the country's national authority for cybersecurity, warned on Friday that threat actors are now exploiting a recently patched critical Windows Netlogon vuln…
  • Critical Windows Netlogon RCE flaw now exploited in attacks — Bleepingcomputer · 2026-06-01
    The Centre for Cybersecurity Belgium (CCB), the country's national authority for cybersecurity, warned on Friday that threat actors are now exploiting a recently patched critical Windows Netlogon vuln…

Timeline

  • 2026-04-14 — CVE-2026-33825 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-12 — CVE-2026-41089 published: Microsoft disclosed a critical Windows Netlogon vulnerability allowing remote code execution.
  • 2026-05-19 — CVE-2026-45585 published: Microsoft published details on another critical vulnerability affecting Windows BitLocker.
  • 2026-05-20 — CVE-2026-41091 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-05-20 — CVE-2026-45498 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-06-01 — Active exploitation confirmed: CCB reported that CVE-2026-41089 is actively exploited, urging immediate patching of vulnerable servers.

CVEs

  • CVE-2026-33825
  • CVE-2026-41089
  • CVE-2026-41091
  • CVE-2026-45498
  • CVE-2026-45585

Related entities

  • Zero-day Exploit (Attack Type)
  • Belgium (Country)
  • CWE-120 - Classic Buffer Overflow (Cwe)
  • T1190 - Exploit Public-Facing Application (Mitre Attack)
  • BitLocker (Platform)
  • Windows (Platform)
  • Windows Server (Platform)
  • Netlogon (Platform)
  • BlueHammer (Vulnerability)
  • GreenPlasma (Vulnerability)
  • MiniPlasma (Vulnerability)
  • RedSun (Vulnerability)
  • UnDefend (Vulnerability)
  • Windows Netlogon Vulnerability (Vulnerability)
  • YellowKey (Vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed