Actively Exploited Windows Netlogon RCE Flaw (CVE-2026-41089) Puts Domain Controllers at Risk

CRITICAL: Unauthenticated RCE Flaw in Windows Netlogon (CVE-2026-41089) Actively Exploited

CRITICAL
June 1, 2026
June 2, 2026
4m read
VulnerabilityCyberattackPatch Management

Related Entities(initial)

Organizations

Microsoft Centre for Cybersecurity Belgium (CCB)

Products & Tech

Windows Windows ServerNetlogonActive Directory

CVE Identifiers

CVE-2026-41089
CRITICAL
CVSS:9.8
CVEDetails.com CVE.org

MITRE ATT&CK Techniques

T1190Initial Access

Exploit Public-Facing Application

T1210Lateral Movement

Exploitation for Client Execution

T1068Privilege Escalation

Exploitation for Privilege Escalation

Full Report(when first published)

Executive Summary

A critical, unauthenticated Remote Code Execution (RCE) vulnerability in the Windows Netlogon service, tracked as CVE-2026-41089, is under active attack. The vulnerability carries a CVSS score of 9.8 (Critical) and enables an unauthenticated attacker on the same network to gain SYSTEM-level privileges on a domain controller. This effectively allows for a complete takeover of the Active Directory forest. Microsoft released a patch in May 2026, but exploitation has now been confirmed in the wild. Due to the trivial nature of exploitation and the catastrophic impact, immediate patching of all domain controllers is essential for all organizations.

Vulnerability Details

CVE-2026-41089 is a stack-based buffer overflow within the Windows Netlogon Remote Protocol. The vulnerability can be triggered when the Netlogon service processes a specially crafted network request from an unauthenticated source.

  • Attack Vector: Network. An attacker needs to be able to send traffic to a domain controller's Netlogon service port.
  • Authentication: None required. This is a zero-click, unauthenticated exploit.
  • Impact: Successful exploitation results in remote code execution with SYSTEM privileges on the domain controller, the highest level of privilege in a Windows environment. A compromised domain controller grants an attacker complete control over the entire Active Directory domain, including the ability to create new accounts, modify permissions, and deploy malware across the enterprise.

This vulnerability is exceptionally dangerous. It allows any machine on the network to become a domain administrator with a single packet. It is reminiscent of past 'wormable' flaws and poses an existential threat to unpatched networks.

Affected Systems

All Windows Server versions running as a domain controller are affected, including:

  • Windows Server 2012 and 2012 R2 (requires ESU or third-party patching)
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2022
  • Windows Server 2025
  • All Server Core installations

Exploitation Status

Microsoft patched the vulnerability on May 14, 2026, as part of its monthly Patch Tuesday release. At the time, exploitation was considered 'less likely.' However, on May 31, 2026, the Centre for Cybersecurity Belgium (CCB) issued a high-priority alert confirming that CVE-2026-41089 is being actively exploited in the wild. While details of the attacks are sparse, the confirmation from a national CERT indicates credible, ongoing threats.

Cyber Observables — Hunting Hints

The following patterns may help identify vulnerable or compromised systems:

Type
Event ID
Value
7031 or 7034 in System Log
Description
Look for unexpected crashes or restarts of the Netlogon service (lsass.exe process for Netlogon).
Type
Log Source
Value
Windows Security Event Log
Description
Monitor for anomalous Netlogon authentication events or a sudden spike in failed logons from a single source.
Type
Network Traffic Pattern
Value
Anomalous RPC traffic to DCs
Description
Monitor for malformed or unusual MSRPC (Microsoft Remote Procedure Call) traffic directed at domain controllers on port 445/tcp or other RPC ports.
Type
Process Name
Value
lsass.exe
Description
Unusually high CPU or memory usage by the lsass.exe process on a domain controller could indicate an exploitation attempt.

Detection Methods

  • Endpoint Detection and Response (EDR): EDR solutions on domain controllers are critical. Monitor for anomalous child processes spawning from lsass.exe, which should never happen under normal circumstances. This is a core function of D3FEND's Process Analysis (D3-PA).
  • Network Intrusion Detection System (NIDS): Deploy NIDS signatures that specifically look for the malformed Netlogon request associated with CVE-2026-41089. This is a direct application of D3FEND's Network Traffic Analysis (D3-NTA).
  • Log Monitoring: In your SIEM, create high-priority alerts for any unexpected Netlogon service crashes or restarts on domain controllers. Correlate these events with network traffic logs to identify the source of the potential attack.

Remediation Steps

There is no effective mitigation other than patching.

  1. Apply Patches Immediately: Deploy the May 2026 security updates from Microsoft to all domain controllers as an emergency change. This is the only way to fully remediate the vulnerability. This is a direct application of D3FEND's Software Update (D3-SU).
  2. Restrict Access: As a temporary, partial mitigation, ensure that only trusted machines can communicate with domain controllers over the network. Use network segmentation and firewall rules to strictly limit access to the ports used by Netlogon (e.g., 445/tcp). This aligns with D3FEND's Network Isolation (D3-NI).
  3. Legacy Systems: For systems like Windows Server 2012 R2 without an Extended Security Update (ESU) license, organizations must either purchase ESU or use third-party micropatching services to protect their domain controllers.

Timeline of Events

1
May 14, 2026
Microsoft releases a patch for CVE-2026-41089 as part of its May Patch Tuesday.
2
May 31, 2026
The Centre for Cybersecurity Belgium (CCB) warns that CVE-2026-41089 is being actively exploited.
3
June 1, 2026
This article was published

Article Updates

June 2, 2026

New MITRE ATT&CK techniques and expanded impact assessment detail catastrophic risks of CVE-2026-41089 exploitation, including ransomware and persistence.

Update Sources:
helpnetsecurity.comWindows Netlogon RCE exploited, domain controllers at risk (CVE-2026-41089)
securityweek.comCritical Windows Netlogon Vulnerability in Attackers' Crosshairs
cybersecuritynews.comWindows Netlogon 0-Click RCE Vulnerability Now Actively Exploited In The Wild

MITRE ATT&CK Mitigations

Update Software

M1051enterprise

Applying the Microsoft security update is the only effective way to remediate this vulnerability.

Network Segmentation

M1030enterprise

Isolate domain controllers from non-essential parts of the network to reduce the attack surface.

Audit

M1047enterprise

Implement enhanced logging and monitoring on domain controllers to detect signs of compromise.

Timeline of Events

1
May 14, 2026

Microsoft releases a patch for CVE-2026-41089 as part of its May Patch Tuesday.

2
May 31, 2026

The Centre for Cybersecurity Belgium (CCB) warns that CVE-2026-41089 is being actively exploited.

Sources & References(when first published)

Windows Netlogon RCE exploited, domain controllers at risk (CVE-2026-41089)
Help Net SecurityJune 1, 2026
Weekly Recap: New Linux Flaw, PAN-OS Exploit, AI-Powered Attacks, OAuth Phishing and More
The Hacker NewsJune 1, 2026
Microsoft Netlogon RCE flaw now under active attack
AI WeeklyJune 1, 2026
Week 20 – Windows Netlogon spill
Cybersecurity Advisors NetworkMay 15, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

CVE-2026-41089Windows ServerNetlogonRCEDomain ControllerActive DirectoryPatch Tuesday

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.