Notebookcheck Logo

Windows Netlogon CVE-2026-41089 exploited: Priority patch needed

CVE-2026-41089 allows unauthenticated attackers to execute code on Windows domain controllers with SYSTEM privileges.
ⓘ Freepik.com
CVE-2026-41089 allows unauthenticated attackers to execute code on Windows domain controllers with SYSTEM privileges.
CVE-2026-41089, a critical Windows Netlogon flaw rated CVSS 9.8, is now actively exploited. Unpatched domain controllers face full SYSTEM-level compromise with no credentials needed.
Security Hack / Data Breach Windows Microsoft Business

Attackers are actively exploiting a critical Windows Netlogon vulnerability that Microsoft patched three weeks ago and assessed as unlikely to be exploited. The Centre for Cybersecurity Belgium issued an exploitation warning on May 29, raising the risk profile for every unpatched Windows Server environment running as a domain controller. While Microsoft stated on June 1 that it is still validating those claims and has not yet updated its MSRC portal, security teams are urged not to wait.

CVE-2026-41089 is a stack-based buffer overflow in the Netlogon service with a CVSS score of 9.8. An unauthenticated remote attacker sends a crafted network request to a Windows Server acting as a domain controller. If successful, the Netlogon service mishandles the request, allowing the attacker to execute arbitrary code with SYSTEM privileges. No credentials. No user interaction. No prior access needed.

Why the concern

Microsoft patched CVE-2026-41089 on May 12 as part of its May Patch Tuesday, which addressed 138 CVEs total. Despite the 9.8 severity rating, Redmond assessed the flaw as "exploitation less likely" at the time of release. That gap between official assessment and real-world threat reports is exactly what is catching enterprise security teams off guard.

The CCB advisory came 17 days after the patch dropped. That is well within the window that many enterprise patch cycles operate. Organisations that treat Patch Tuesday updates as a 30-day rollout schedule rather than an immediate priority are currently exposed.

Windows Netlogon CVE-2026-41089: What is at risk

Domain controllers are the authentication backbone of Active Directory environments. Successful exploitation of CVE-2026-41089 gives an attacker SYSTEM-level code execution on the domain controller itself, which in practice means full control of the Active Directory domain, the ability to create privileged accounts, and lateral movement across every system that authenticates against that controller.

Jack Bicer, director of vulnerability research at Action1, flagged the flaw at patch time: "This CVE requires immediate attention. Successful attacks may lead to widespread endpoint compromise, ransomware deployment, credential harvesting, and operational disruption across corporate networks."

What can be done

Apply the May 12 cumulative update immediately if it has not been deployed. The fix is included in the standard Windows Server update for all supported versions. Isolate domain controllers from direct internet exposure and restrict Netlogon traffic to authenticated internal sources only. June 9 is the next Patch Tuesday and the final update window before the June 24-27 Secure Boot certificate expiration window, which adds further urgency to completing the May rollout before that date.

Google LogoAdd as a preferred source on Google
Mail Logo

No comments for this article

Got questions or something to add to our article? Even without registering you can post in the comments!
No comments for this article / reply

static version load dynamic
Loading Comments
Comment on this article

Related Articles

> Expert Reviews and News on Laptops, Smartphones and Tech Innovations > News > News Archive > Newsarchive 2026 06 > Windows Netlogon CVE-2026-41089 exploited: Priority patch needed
Darryl Linington, 2026-06- 3 (Update: 2026-06- 3)