Critical Windows Netlogon RCE CVE-2026-41089 Now Exploited

Quick take: A critical vulnerability in Windows Netlogon patched during Microsoft's May 2026 Patch Tuesday is now being actively exploited in the wild.

A critical vulnerability in Windows Netlogon patched during Microsoft's May 2026 Patch Tuesday is now being actively exploited in the wild. Belgium's Centre for Cybersecurity (CCB) confirmed exploitation on May 30, 2026, urging administrators to "patch as quickly as possible." The flaw, tracked as CVE-2026-41089 with a CVSS score of 9.8, allows unauthenticated attackers to execute arbitrary code on Windows domain controllers at SYSTEM privilege — zero credentials, zero user interaction, zero prior foothold required.

Security researchers have drawn immediate comparisons to Zerologon (CVE-2020-1472) — the 2020 Netlogon vulnerability that went from advisory to weaponised exploit in under two weeks and fuelled widespread ransomware campaigns. CVE-2026-41089 shares the same attack surface: every network-reachable domain controller.

What Is the Netlogon Service?

The Windows Netlogon service (Netlogon Remote Protocol, MS-NRPC) is the authentication backbone of every Windows Active Directory domain. It handles: domain logon requests, machine account authentication, secure channel establishment between member servers and domain controllers, domain controller replication, and pass-through authentication in multi-domain forests.

Domain controllers running Netlogon are the highest-value target in most Windows enterprise environments. Compromising a domain controller means compromising the entire Windows infrastructure: all user accounts, all access permissions, all group policies, all security boundaries.

CVE-2026-41089 — Technical Detail

CVE-2026-41089 is a stack-based buffer overflow in the Netlogon service. Microsoft's Windows Attack Research and Protection (WARP) team identified it, with disclosure on May 12, 2026. An attacker sends a specially crafted network packet to the Netlogon service. The service improperly validates the input, allowing data to overflow the stack buffer, corrupt adjacent memory, and redirect code execution — gaining SYSTEM-level privilege on the domain controller.

Attack chain:

1. Attacker gains network access to a domain controller's Netlogon service (port 135/TCP + dynamic RPC)
2. Attacker sends a malformed Netlogon authentication request
3. Buffer overflow corrupts the Netlogon service execution stack
4. Attacker achieves SYSTEM-level remote code execution on the DC
5. Full Active Directory forest compromise is achievable from this position

Why This Is Exceptionally Dangerous

Zero authentication required: Attacker needs only network connectivity to a domain controller's Netlogon port. No credentials, no domain membership, no prior foothold.

Zero user interaction: The exploit fires as a pure network attack. No phishing. Exploitable 24/7 against any unpatched domain controller that is network-reachable.

SYSTEM-level execution on a domain controller enables:

• Creating or modifying any Active Directory account including domain admin accounts
• Resetting passwords for any user in the domain
• Modifying Group Policy to deploy malware across all managed systems
• Disabling Windows Defender and other security controls
• Extracting the NTDS.dit database containing password hashes for every domain user
• Establishing persistent access and lateral movement to every domain-joined system

Affected Systems

Detection Indicators

Network indicators: Anomalous Netlogon traffic (port 135 + dynamic RPC) from non-DC source addresses; high-volume Netlogon requests from a single source; Netlogon connections from unexpected network segments.

System indicators: Netlogon service (netlogon.exe) unexpectedly crashing or restarting; unexpected new processes launched from the Netlogon process; new administrator accounts in Active Directory not provisioned by IT; modifications to Group Policy Objects at unusual times.

Event log sources: System log Event IDs 5805, 5723; Security log Event IDs 4720, 4728, 4672; Netlogon.log at %SystemRoot%\debug\netlogon.log for authentication anomalies.

Immediate Remediation Steps

1. Patch immediately — Deploy May 2026 Patch Tuesday updates to all domain controllers. Start with most exposed (internet-adjacent) and work inward. Do not wait for scheduled maintenance.
2. Network segmentation — Verify DCs are not reachable from untrusted network segments. Netlogon traffic should only be permitted from known member servers, other DCs, and management systems.
3. Enable Netlogon logging — Set HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DBFlag to 0x2080ffff and review logs for anomalous patterns.
4. Audit new accounts — Report on administrator accounts created since May 12, 2026 and verify each is legitimate.
5. Review firewall rules — Confirm RPC endpoint mapper (port 135) and dynamic RPC ports are not exposed beyond necessary segments.

Final Thoughts

Critical Windows Netlogon RCE CVE-2026-41089 Now Exploited is worth reviewing with a practical lens: understand the risk or opportunity, map it to your environment, and take clear next steps instead of reacting to headlines.