Threat Actors Exploit Critical Windows Netlogon Flaw

BELGIUM — The center for Cybersecurity Belgium (CCB) warned on Friday that threat actors are actively exploiting a critical Windows Netlogon vulnerability, CVE-2026-41089, in the wild. The agency urged organizations to apply Microsoft’s patch for the flaw as soon as possible to prevent potential remote code execution.

CVE-2026-41089 is a stack-based buffer overflow vulnerability in the Windows Netlogon service, which handles authentication on domain-based networks. The flaw carries a CVSS severity score of 9.8 out of 10 and affects all currently supported Windows Server versions, including Windows Server 2025. Unauthenticated attackers can exploit the vulnerability by sending specially crafted network requests to a Windows server acting as a domain controller.

Microsoft publicly disclosed and patched CVE-2026-41089 on May 12, 2026, as part of its monthly Patch Tuesday security updates, which addressed 137 vulnerabilities in total. According to Microsoft’s advisory, “If successful, this could cause the Netlogon service to improperly handle the request, potentially allowing the attacker to run code on the affected system without needing to sign in or have prior access.” The vulnerability was discovered by Microsoft’s internal Windows Attack Research & Protection (WARP) team.

Despite the CCB’s warning about active exploitation, Microsoft had not updated its advisory to reflect that the vulnerability is being actively exploited in the wild. The company also did not include CVE-2026-41089 among the approximately dozen vulnerabilities in the May 2026 updates that it identified as likely to be exploited. At the time of publication, no other cybersecurity organizations besides the CCB had reported evidence of active exploitation of the flaw.

The CCB emphasized the urgency of patching in a public message, stating: “CVE-2026-41089 in #Windows #Netlogon is now actively #exploited in the wild and could lead to #RCE. CVSS(3.1): 9.8. Patch as quickly as possible.” Successful exploitation of critical Netlogon vulnerabilities could grant attackers control over the Domain Controller and, by extension, other machines connected to the network.