Belgium's national cybersecurity authority, the Centre for Cybersecurity Belgium (CCB), didn't mince words on Friday, May 29, 2026. The agency issued an urgent warning to organizations: threat actors are actively exploiting a recently patched, critical vulnerability in the Windows Netlogon service. Identified as CVE-2026-41089, this flaw carries a CVSS 3.1 base score of 9.8, signaling the highest tier of threat.
Netlogon is a Remote Procedure Call (RPC) interface and a critical Microsoft Windows Server service. It authenticates services and users on Windows domain-based networks. If you run Active Directory, Netlogon is the engine room of your trust infrastructure. It handles secure channels between domain members and domain controllers, processes authentication requests, and coordinates replication. The CCB's alert came from raw data supplied by trusted partners. It indicates that malicious groups are targeting enterprise networks today.
This Netlogon exploit is yet another critical Remote Code Execution vulnerability in Windows ecosystems, joining a persistent series of enterprise server issues. Only recently, network defenders had to rush to apply the emergency patch for SharePoint Server to stop authenticated remote code execution. With CVE-2026-41089, however, the threat is far worse. Threat actors don't need valid credentials to strike; they just need access to the network ports. The math is simple: if an attacker can reach a domain controller over the network, they can seize control of the entire identity domain. We've watched how unauthenticated RCE exploits can dismantle organizations, such as the PeopleSoft zero-day that allowed attackers to plunder university systems. Netlogon is the next target in this escalation.
Under the Hood: The Mechanics of CVE-2026-41089
What makes this exploit exceptionally dangerous is how it functions. The flaw is a stack-based buffer overflow (CWE-121) residing within the packet handling parser of the Netlogon Remote Protocol (MS-NRPC).
A researcher on Microsoft’s Windows Attack Research & Protection (WARP) team discovered the vulnerability internally. The parser fails to properly validate the length of incoming network packets before copying them into the stack buffer. An unauthenticated attacker can send a specially crafted RPC packet to the Netlogon interface. This triggers the buffer overflow, corrupts the stack, and allows the attacker to execute arbitrary code with SYSTEM-level privileges.
No sign-in is required. No human interaction is needed. The attacker sends the request, and the Netlogon service crashes or executes the payload. Because the Netlogon service runs with elevated permissions on Windows domain controllers, any exploit immediately inherits SYSTEM privileges. That means complete host compromise. From there, exporting active directories, dumping hash databases, and deploying domain-wide ransomware are just trivial steps for an attacker.
Target Scope and Operating System Impact
The vulnerability impacts every supported version of Windows Server. That includes systems configured as Active Directory domain controllers. The affected product list is long and covers:
- Windows Server 2025
- Windows Server 2022
- Windows Server 2022 23H2
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 and 2012 R2
It doesn't stop there. Legacy, out-of-support operating systems like Windows Server 2008 R2 are also fully vulnerable. If you haven't migrated off these legacy servers, they are sitting ducks.
To verify your systems are patched, look for the following specific build numbers or newer versions of the operating system files:
- Windows Server 2016: build 10.0.14393.9140
- Windows Server 2019: build 10.0.17763.8755
- Windows Server 2022: build 10.0.20348.5074
- Windows Server 2022 23H2: build 10.0.25398.2330
- Windows Server 2025: build 10.0.26100.32772
This flurry of severe patches matches a broader trend. Microsoft's update cycles have grown massive, as seen in the June 2026 Patch Tuesday update that addressed 200 vulnerabilities. This surge in vulnerabilities points to a new normal. In fact, security teams are struggling under the weight of releases, such as the unprecedented Patch Tuesday that resolved a record 206 CVEs, proving that automation is no longer optional.
Active Exploitation Discrepancy: Alert vs. Official Stance
A curious gap exists between government security agencies and Redmond. While the CCB issued a direct warning on exploitation, Microsoft told reporters they don't have evidence of active exploitation in the wild.
Should you wait until Microsoft changes its stance? Absolutely not. Waiting for matching threat reports in the middle of a conflict is a recipe for disaster. The CCB is relying on observations from operations in the field. When they warn of exploitation, they do so because trusted partners have encountered threat actors using this vector. Furthermore, public proof-of-concept models are already circulating on code-sharing platforms.
Look at the broader context of recent zero-days. We've seen researchers drop public exploits for privilege escalation bugs like BlueHammer (CVE-2026-33825) and RedSun (CVE-2026-41091) only for threat actors to weaponize them almost instantly. The same cycle is repeating here: defense is lagging, and the threshold for exploitation is plummeting. This rapid weaponization cycle mirrors the urgent pressure seen when CISA ordered agencies to patch a Check Point VPN zero-day within hours of threat intelligence warnings. If you're a defender, you have to treat any proof-of-concept release as an immediate security event.
Historically, the delay between a patch release and active weaponization has shrunk from months to days. Often, threat actors reverse-engineer security updates to locate the vulnerable functions. We saw this dynamic play out during the campaign targeting Microsoft Exchange Server, where corporate gateways were compromised before patches could be fully rolled out. Once they find the bug in the MS-NRPC parser, crafting a working exploit is a straightforward engineering task. If you run unpatched domain controllers, you're relying on the hope that attackers haven't scanned your IP address. That isn't a strategy; it's a gamble.
Defensive Playbook: Remediation and Network Safeguards
Mitigating CVE-2026-41089 requires a systematic process. The first step is applying Microsoft’s May 2026 security updates.
Apply these patches carefully. You must update all domain controllers in your environment within the same maintenance window. If you leave even one controller unpatched, you've left the door open. Domain controllers constantly replicate and handle authentication queries. An attacker can target the unpatched system to compromise credentials, then propagate to the rest.
If you have legacy environments that cannot be patched immediately—like legacy Windows Server 2008 R2 or 2012 systems—use 0patch micropatches. These third-party patches apply the fix in memory without requiring a full system reboot, giving you breathing room until you migrate the systems.
Next, restrict Netlogon traffic at the network layer. Netlogon operates over RPC, which means you must block unauthorized access to these ports on your domain controllers:
- TCP Port 135 (RPC Endpoint Mapper)
- TCP Port 445 (SMB)
- UDP Ports 389 and 88 (LDAP and Kerberos)
- TCP dynamic RPC ranges (ports 49152-65535)
Only authorized domain controllers and member servers should communicate with these interfaces. Segment your network so that client machines cannot query domain controllers directly over dynamic RPC ranges unless absolutely required. Finally, monitor your system logs for sudden Netlogon service crashes, unusual traffic origins, and failed authentications. If you see unexpected RPC requests hailing from non-DC servers, treat it as an active compromise. Pay close attention to unexpected incoming traffic patterns on TCP 135 and the dynamic ports; threat actors often use scanners to sweep the network looking for exposed RPC control planes before launching the exploit payload itself.