Background
Windows Netlogon is the protocol and service responsible for authenticating users and computers in a Windows domain environment. Every Windows domain controller runs the Netlogon service and exposes the Netlogon Remote Protocol (NRPC) interface on the network — it is a foundational component of Active Directory and cannot be disabled without breaking domain authentication entirely.
CVE-2026-41089 is a critical pre-authentication remote code execution vulnerability in this service. Exploitation requires only network access to the domain controller’s Netlogon RPC interface — which is exposed by design on all domain controllers — and no credentials, user interaction, or prior access of any kind. Belgium’s Centre for Cybersecurity (CCB) confirmed active exploitation in the wild on 29 May 2026, seventeen days after Microsoft patched the flaw in the May 2026 Patch Tuesday release. No threat actor has been publicly attributed at time of writing.
The Netlogon RPC interface has been exploited significantly before. CVE-2020-1472 (Zerologon) — which exploited a cryptographic flaw in the Netlogon authentication handshake to instantly become domain administrator — was one of the most severely exploited vulnerabilities of 2020-2021, used by ransomware groups, nation-state actors, and initial access brokers. CVE-2026-41089 is a distinct vulnerability, but it sits in the same service and carries the same consequence: full domain compromise from an unauthenticated network position.
Technical Mechanism
CVE-2026-41089 is a stack-based buffer overflow vulnerability (CWE-121) in the Windows Netlogon service. The vulnerable code path processes incoming Netlogon RPC requests and fails to properly validate the length of attacker-controlled data before copying it to a fixed-size stack buffer.
Attack vector summary:
- An attacker sends a specially crafted Netlogon RPC request to a domain controller, targeting the vulnerable parsing function
- The oversized attacker-controlled data overflows the fixed-size stack buffer, overwriting adjacent stack memory including the saved return pointer
- By controlling the overflow content, the attacker redirects execution to attacker-supplied shellcode or a ROP (return-oriented programming) chain
- The Netlogon service runs as SYSTEM — shellcode executes with SYSTEM privileges on the domain controller
No authentication challenge precedes the vulnerable code path; the overflow occurs before any credential validation takes place. Microsoft’s published FAQ for CVE-2026-41089 confirms: exploitation is achieved by sending “a specially crafted network request to a Windows server acting as a domain controller.”
The CVSS 3.1 vector reflects the severity: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — network-accessible, low complexity, no privileges required, no user interaction, and complete compromise of confidentiality, integrity, and availability on the domain controller.
Real-World Exploitation Evidence
Microsoft internally discovered the vulnerability via its Windows Attack Research and Protection (WARP) team and included the patch in the May 12, 2026 Patch Tuesday release, alongside 136 other CVEs. At initial disclosure, exploitation had not been confirmed.
Belgium’s Centre for Cybersecurity (CCB) updated its advisory on 29 May 2026 to state that CVE-2026-41089 had been confirmed as actively exploited in the wild. The CCB’s confirmation threshold requires evidence of real-world exploitation against production systems, not merely proof-of-concept demonstrations.
As of 3 June 2026, CVE-2026-41089 has not been added to CISA’s Known Exploited Vulnerabilities catalog. Given the CCB confirmation, CISA KEV addition is expected. This analysis is published ahead of that addition given the severity of the vulnerability.
No specific threat actor, campaign name, or attributed intrusion set has been publicly linked to the exploitation activity. Attribution at this stage reflects the normal reporting lag for a recently exploited vulnerability; the absence of named actors should not reduce remediation urgency. Historically, pre-authentication RCE against domain controllers attracts ransomware operators (who exploit domain control to achieve domain-wide simultaneous encryption via Group Policy), nation-state actors seeking persistent Active Directory access, and initial access brokers packaging the access for resale.
Impact Assessment
Successful exploitation of CVE-2026-41089 provides an unauthenticated attacker with SYSTEM-level code execution on the domain controller itself. The practical consequences extend far beyond the single compromised host:
Domain-wide impact:
- Active Directory control: A domain controller runs all AD operations. SYSTEM on a DC gives the attacker the ability to create privileged accounts, modify group memberships, generate Kerberos service tickets for any account (Golden Ticket attack), and modify Group Policy Objects that apply to every domain-joined system
- Domain-wide lateral movement: Every host that authenticates against the compromised domain controller is reachable. Pass-the-hash, pass-the-ticket, and scheduled task injection via GPO are all available without further exploitation
- Credential harvesting: SYSTEM on a DC enables direct access to
NTDS.DIT, the Active Directory database containing the password hashes of all domain users and computers — giving the attacker offline cracking capability for every credential in the domain
Sector-specific risk:
For ransomware operations, domain controller compromise is the penultimate step before domain-wide encryption. Ransomware actors routinely use DC access to push locker binaries via GPO startup scripts, enabling simultaneous encryption across thousands of domain-joined endpoints and servers.
For OT/ICS environments where Active Directory authentication bridges IT and operational technology networks, compromise of a domain controller that serves mixed IT-OT trust boundaries may provide authenticated access to engineering workstations, historian servers, and OT management interfaces.
For healthcare organisations running domain-joined clinical systems, SYSTEM on a DC means potential access to patient record systems, medical imaging servers, and clinical workflow applications that authenticate through Active Directory.
Scope: Only domain controllers are directly vulnerable to the RCE. Member servers and workstations that are not domain controllers cannot be directly exploited via this path. However, domain controller compromise is sufficient for complete domain takeover, after which all domain-joined systems are reachable through authenticated attack paths.
Affected Versions
| Platform | Affected Versions | Status |
|---|---|---|
| Windows Server 2025 | All builds before May 2026 Patch Tuesday | Patch available |
| Windows Server 2022 | All builds before May 2026 Patch Tuesday | Patch available |
| Windows Server 2019 | All builds before May 2026 Patch Tuesday | Patch available |
| Windows Server 2016 | All builds before May 2026 Patch Tuesday | Patch available |
| Windows Server 2012 R2 | All builds before May 2026 Patch Tuesday | Patch available (Extended Security Updates) |
| Windows Server versions prior to 2012 R2 | End of support | Not patched — decommission or isolate |
Domain controllers running end-of-support Windows Server versions (pre-2012 R2) are vulnerable with no vendor-supplied patch. These systems require emergency isolation or decommission.
Remediation Steps
Primary remediation:
Apply the May 2026 Patch Tuesday update (KB article numbers vary by Windows Server version). This is the only complete remediation for CVE-2026-41089. There is no workaround that removes the vulnerable code path while maintaining Netlogon service functionality.
- Verify patch status on all domain controllers:
# Check installed hotfixes on domain controllers
Invoke-Command -ComputerName (Get-ADDomainController -Filter * | Select-Object -ExpandProperty HostName) -ScriptBlock {
Get-HotFix | Where-Object {$_.HotFixID -match 'KB'} | Sort-Object -Property InstalledOn -Descending | Select-Object -First 5
}- Identify all domain controllers in the environment — including secondary and RODC (Read-Only Domain Controllers):
Get-ADDomainController -Filter * | Select-Object Name, OperatingSystem, IPv4Address, IsGlobalCatalog, IsReadOnly-
Apply patches to all domain controllers via Windows Update, WSUS, or SCCM. Prioritise primary domain controllers (PDC emulator FSMO role holder) if a staged rollout is required, but complete patching of all DCs as rapidly as possible.
-
Restrict Netlogon RPC access at the network layer — this is a defence-in-depth measure, not a substitute for patching. Limit which source addresses can reach TCP 135 (RPC endpoint mapper) and the dynamic RPC port range on domain controllers:
# Network ACL: restrict inbound RPC access to domain members only
# On edge firewalls and within microsegmented environments
# Allow: TCP 135, TCP 49152-65535 from domain member IP ranges
# Deny: above ports from all other sources- For end-of-support domain controllers (Windows Server 2012 and older): isolate from all network segments that are not strictly required for authentication operations while accelerating decommission or migration.
Detection Guidance
Exploitation attempts — network layer:
Monitor for anomalous Netlogon RPC traffic patterns on domain controller network interfaces. Exploitation involves a malformed NRPC packet that exceeds normal parameter size bounds. Network IDS rules targeting oversized Netlogon RPC payloads can detect exploitation attempts.
Suricata rule concept:
alert tcp any any -> $DC_HOSTS [135,49152:65535] (msg:"CVE-2026-41089 Netlogon RPC Overflow Attempt"; flow:established,to_server; content:"|05|"; offset:0; depth:1; dsize:>4096; classtype:attempted-admin; sid:20260001; rev:1;)Note: Exact Snort/Suricata signatures require Netlogon NRPC protocol awareness for precision. Consult your IDS vendor’s signature feed for CVE-2026-41089-specific rules.
Post-exploitation — Active Directory monitoring:
Post-exploitation activity on a compromised domain controller typically involves one or more of:
- New privileged account creation (Event ID 4720 + 4732/4728 for group membership)
- GPO modification (Event ID 5136 — directory service object modification)
- NTDS.DIT access (Event ID 4663 on
%SystemRoot%\NTDS\ntds.dit) - Kerberos golden ticket generation (Event ID 4769 with unusual encryption type or ticket lifetime)
- Shadow copy creation for NTDS.DIT extraction (Event ID 7036, VSS service events, 4688 for
vssadmin.exe)
Enable advanced audit policy on all domain controllers:
# Enable DS Access auditing for object changes
AuditPol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable
AuditPol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable
AuditPol /set /subcategory:"Account Management" /success:enable /failure:enableMMPE version check (for managed environments):
# Check unpatched domain controllers across the domain
Get-ADDomainController -Filter * | ForEach-Object {
$dc = $_.HostName
$os = $_.OperatingSystem
$patch = Invoke-Command -ComputerName $dc -ScriptBlock {
(Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 1).InstalledOn
} -ErrorAction SilentlyContinue
[PSCustomObject]@{DC=$dc; OS=$os; LastPatch=$patch}
} | Format-Table -AutoSizeTimeline
| Date | Event |
|---|---|
| 12 May 2026 | Microsoft patches CVE-2026-41089 in May 2026 Patch Tuesday (137 CVEs total) |
| 29 May 2026 | Belgium’s Centre for Cybersecurity (CCB) confirms active exploitation in the wild |
| ~1 June 2026 | Multiple security media outlets report on exploitation confirmation |
| 3 June 2026 | CVE-2026-41089 not yet in CISA KEV catalog (addition expected) |
| 5 June 2026 | This analysis published |
References
- Bleeping Computer — Critical Windows Netlogon RCE flaw now exploited in attacks
- Help Net Security — Windows Netlogon RCE exploited, domain controllers at risk
- SecurityWeek — Critical Windows Netlogon Vulnerability in Attackers’ Crosshairs
- CybersecurityNews — Windows Netlogon 0-Click RCE Vulnerability Now Actively Exploited In The Wild
- CCB Belgium — Warning: Microsoft Patch Tuesday May 2026
- NVD — CVE-2026-41089