Critical Windows Netlogon Vulnerability (CVE-2026-41089) Under Active Exploitation
Severity: High (Score: 78.5)
Sources: Fortiguard, Filestore.Fortinet, www.fortiguard.com
Published: · Updated:
Keywords: vulnerability, windows, netlogon, remote, code, execution, critical
Severity indicators: critical, vulnerability, remote code execution, ot
Summary
A critical vulnerability, CVE-2026-41089, affecting the Windows Netlogon service has been actively exploited. Patched by Microsoft during the May 2026 Patch Tuesday, the vulnerability allows unauthenticated attackers to execute remote code on vulnerable domain controllers. This stack-based buffer overflow in the Netlogon RPC interface poses a significant risk, potentially granting attackers full control of an Active Directory environment. The Centre for Cybersecurity Belgium has reported ongoing exploitation attempts against unpatched systems. Organizations are urged to apply the May 2026 security updates immediately and monitor for unusual activity. The vulnerability primarily affects enterprise networks with internet-facing domain controllers. Threat hunting and log reviews are recommended to detect signs of exploitation. Current protective measures include FortiGuard's IPS and antivirus services. Key Points: • CVE-2026-41089 is a critical vulnerability in the Windows Netlogon service. • Active exploitation is reported, targeting unpatched domain controllers. • Immediate patching and monitoring are essential to mitigate risks.
Detailed Analysis
**Impact** The vulnerability affects Windows domain controllers running the Netlogon service, critical for authentication and secure communication in Active Directory environments. Successful exploitation grants unauthenticated attackers remote code execution and full control over enterprise Active Directory domains, risking unauthorized account creation, privilege escalation, and data compromise. The issue impacts organizations globally, particularly those with internet-facing or externally accessible domain controllers, across all sectors relying on Windows-based enterprise networks. **Technical Details** CVE-2026-41089 is a stack-based buffer overflow within the Netlogon Remote Procedure Call (RPC) interface, exploited remotely without authentication. Attackers leverage this flaw to execute arbitrary code on domain controllers, enabling lateral movement and persistence within Active Directory. Exploitation involves manipulation of Netlogon and RPC traffic, with post-exploitation activity including privilege escalation, unauthorized account creation, and Group Policy modifications. No specific malware or IOCs are detailed in the available sources. **Recommended Response** Apply Microsoft’s May 2026 security updates immediately to all domain controllers, prioritizing those exposed externally. Restrict RPC access to domain controllers where possible and review logs for unusual Netlogon, RPC, or authentication events. Monitor for indicators of compromise such as unexpected account creation, privilege escalation, and Group Policy changes. Validate domain controller backups and engage in threat hunting to detect post-exploitation activity. Deploy FortiGuard IPS, Endpoint Vulnerability Service, Antivirus & Behavior Detection, and Web Filtering protections to mitigate exploitation and related malicious activity.
Source articles (4)
- Windows Netlogon Remote Code Execution Vulnerability - Threat Signal Report — Fortiguard · 2026-06-08
A critical vulnerability, CVE-2026-41089, affecting the Windows Netlogon service is now being actively exploited in the wild. The vulnerability was patched by Microsoft during the May 2026 Patch Tuesd… - Windows Netlogon Remote Code Execution Vulnerability — Filestore.Fortinet · 2026-06-09
A critical vulnerability, CVE-2026-41089, affecting the Windows Netlogon service is now being actively exploited in the wild. The vulnerability was patched by Microsoft during the May 2026 Patch Tuesd… - Intrusion Prevention | FortiGuard Labs — www.fortiguard.com · 2026-06-08
- Endpoint Vulnerability | FortiGuard Labs — www.fortiguard.com · 2026-06-08
Timeline
- 2026-05-12 — CVE-2026-41089 published: Microsoft disclosed a critical vulnerability in the Windows Netlogon service affecting domain controllers.
- 2026-06-01 — First public PoC released: The first proof of concept for exploiting CVE-2026-41089 became publicly available.
- 2026-06-08 — Urgent patching recommended: Organizations are advised to apply Microsoft's May 2026 updates to mitigate the vulnerability.
- Recent — Active exploitation observed: The Centre for Cybersecurity Belgium reported active exploitation attempts against unpatched systems.
CVEs
Related entities
- Zero-day Exploit (Attack Type)
- Belgium (Country)
- CWE-120 - Classic Buffer Overflow (Cwe)
- Windows (Platform)
- Windows Netlogon Remote Code Execution Vulnerability (Vulnerability)