Windows Netlogon CVE-2026-41089 Is Now Under Active Exploitation, Belgian CCB Warns

Netlogon is the authentication protocol of a Windows domain, so a pre-authentication remote code execution flaw on a domain controller is not a server bug — it is, by construction, a Domain Admin event for whoever fires it first.

BRUSSELS, BELGIUM — On Friday, May 29, 2026, the Centre for Cybersecurity Belgium (CCB) — the Belgian federal cybersecurity authority — warned that CVE-2026-41089, a critical stack-based buffer overflow in the Windows Netlogon service, is now being actively exploited in the wild against unpatched systems. The flaw, patched by Microsoft on May 12 in that month's Patch Tuesday release, allows an unauthenticated attacker to send a specially crafted network request to a Windows server acting as a domain controller and execute code on that server. Microsoft credited the discovery to its own Windows Attack Research and Protection (WARP) team and, at disclosure, assessed exploitation as 'less likely.'

Help Net Security, BleepingComputer and SecurityWeek confirmed CCB's warning in coverage published on June 1, 2026. CCB has not publicly shared details of the in-the-wild attacks, and Microsoft's advisory has not been updated to reflect the active-exploitation status as of publication.

What Happened

Microsoft disclosed CVE-2026-41089 on May 12, 2026, alongside the other fixes in its May Patch Tuesday release. The advisory describes the flaw as a stack-based buffer overflow in Netlogon, the authentication and security protocol that handles trust relationships, secure channel setup, and machine-account password changes inside a Windows domain. An unauthenticated attacker who can reach the Netlogon service on a Windows server acting as a domain controller can send a specially crafted network request that triggers the overflow and executes code in the context of the service. Microsoft credited its internal Windows Attack Research and Protection (WARP) team with the discovery and, at disclosure, characterized exploitation as 'less likely.' The flaw carries a CVSS v3.1 base score of 9.8, reflecting the network attack vector, low attack complexity, lack of authentication requirement, and code-execution impact.

On Friday, May 29, 2026, the Centre for Cybersecurity Belgium (CCB) — Belgium's federal cybersecurity authority — issued a public warning that CVE-2026-41089 is now being actively exploited against unpatched systems. CCB urged administrators to patch immediately, restrict Netlogon traffic at the network layer, and review domain-controller exposure. Help Net Security, BleepingComputer and SecurityWeek each independently confirmed CCB's warning in coverage published on June 1, 2026. CCB has not publicly shared technical details of the in-the-wild activity — no victim count, no attacker attribution, no indicators of compromise — and Microsoft's MSRC advisory had not been updated to reflect active-exploitation status as of this writing.

Netlogon Is the Authentication Protocol of a Windows Domain

Netlogon's role inside a Windows domain is what makes this CVE matter. The service runs on every domain controller and is responsible for establishing the secure channel between domain members and DCs, validating logons against Active Directory, replicating authentication data, and changing machine-account passwords. It is, in the most literal sense, the protocol that defines what it means to be authenticated to a Windows domain. Code execution inside the Netlogon service is therefore not a host-level event the way an RCE in a third-party application would be — it is code execution inside the process that the rest of the network already trusts to make authentication decisions. The Netlogon flaw class is also not a stranger to defenders: Zerologon (CVE-2020-1472) in 2020 and the PetitPotam coercion chain in 2021 both turned Netlogon mechanics into routes to full domain takeover, and both still sit on threat-hunting checklists for any post-incident Active Directory review.

A Pre-Authentication RCE on a Domain Controller Is, by Definition, a Domain Admin Event

What CVE-2026-41089 actually does, once exploited, follows directly from where it runs. Code executing inside the Netlogon service on a domain controller inherits the trust position of that service, which by design is the highest authentication authority in the domain. From there an attacker has a direct line to the Active Directory database (NTDS.dit), to the Kerberos KRBTGT account that signs every ticket in the forest, to the machine-account credentials of every joined system, and to whatever Group Policy is pushed down to clients. None of that requires an additional exploit chain — it is what the Netlogon service is already permitted to do. Treating CVE-2026-41089 as 'a Windows Server bug' understates the consequence: it is functionally a primitive for becoming Domain Admin in the targeted forest, and incident response on a confirmed exploitation should be planned around forest-wide credential resets, KRBTGT rotation, and Tier 0 rebuild — not single-host remediation.

Microsoft Said 'Less Likely.' Researchers and AI Tooling Compressed the Window.

Microsoft's initial assessment that exploitation of CVE-2026-41089 was 'less likely' is the part of this story that has aged the fastest. In the seventeen days between disclosure on May 12 and CCB's warning on May 29, security researchers and AI-assisted reverse-engineering shops publicly walked through the root cause and posted proof-of-concept material, including a detailed buildSamLogonResponse stack-overflow write-up that other defenders have referenced. That compression — from disclosure to public PoC to in-the-wild exploitation in under three weeks — is the pattern the Verizon 2026 Data Breach Investigations Report flagged when it found that vulnerability exploitation overtook credential theft as the number-one initial-access method for the first time. The takeaway is procedural: a vendor's exploitation-likelihood label is a snapshot, not a forecast, and a critical pre-auth RCE on a domain controller deserves the emergency patch cycle regardless of which qualifier sits next to it in the advisory.

Scope and Impact

CVE-2026-41089 does not arrive in a quiet week. It lands inside a tight active-exploitation cluster on the perimeter and identity surfaces: CCB's Netlogon warning sits alongside the Palo Alto Networks GlobalProtect VPN authentication-bypass flaw, CVE-2026-0257, that the vendor confirmed is being actively exploited as a zero-day, and the FortiClient EMS vulnerability CVE-2026-35616 that Arctic Wolf tied to the EKZ infostealer campaign. Three pre-authentication flaws in three different identity- and access-adjacent products, all under active exploitation, all disclosed inside a single week — the practical effect for defenders is that the perimeter, the VPN, and the directory are simultaneously in the patch queue.

Several specifics about the Netlogon exploitation remain unconfirmed and should not be assumed. CCB has not published indicators of compromise, has not identified the threat actor or actors involved, has not stated how many Belgian or international organizations are affected, and has not described whether the observed activity is targeted or opportunistic. Microsoft's MSRC advisory had not been updated to reflect the active-exploitation status at the time of this writing, and CVE-2026-41089 had not yet been added to the U.S. CISA Known Exploited Vulnerabilities catalog. Acros Security has released 0patch micropatches for legacy Windows Server versions outside Microsoft support — Windows Server 2008 R2, 2012, and 2012 R2 — which is a useful data point on which deployments the patch-management ecosystem assumes are still in the field.

The exposure question for any individual environment is narrow and answerable. CVE-2026-41089 is exploitable against Windows servers acting as domain controllers; member servers and workstations that are not DCs are not in the direct exploit path. The first audit is therefore short — every DC, every supported Windows Server release, May 12 cumulative update or newer — and the network-layer mitigation is straightforward: Netlogon (RPC over SMB / port 445, and the underlying MS-NRPC protocol) should not be reachable from the public internet, and east-west exposure from non-DC sources to DCs should be the subject of an audit even after patching. This is the same hygiene that mattered for the Linux kernel CIFS key-request privilege-escalation flaw the kernel team shipped earlier in the month and for the unpatched Gogs argument-injection RCE that Rapid7 disclosed at CVSS 4 9.4 — exposure-surface reduction is the fastest available mitigation when patch deployment lags exploitation.

Response and Attribution

For Windows and Active Directory teams, the immediate action is verification, not just deployment. Confirm that every domain controller — including read-only DCs, DCs in branch sites, and DCs supporting any forest trust — is running the May 12, 2026 cumulative update or later. Do not rely on the patch-management dashboard alone; query each DC directly. Restrict Netlogon traffic at the network layer so the service is reachable only from expected domain members on expected segments, and confirm that no DC is exposing Netlogon to the public internet. Pre-stage the AD compromise incident-response runbook: a successful exploitation of CVE-2026-41089 is, in consequence, a forest-takeover event, and the response involves KRBTGT rotation (twice), credential resets across privileged accounts, machine-account password resets where indicated, and a deliberate Tier 0 rebuild plan rather than ad-hoc remediation.

For SOC and threat-hunting teams, the hunt surface is well-defined even without published CCB indicators. Look for anomalous Netlogon RPC activity originating from non-DC sources, unexpected child-process spawning from lsass.exe or the Netlogon service on DCs in the past 30 days, Netlogon service crashes or restarts that do not align with scheduled maintenance, and authentication anomalies — Kerberos pre-authentication failures, sudden bursts of TGT requests, or domain-trust errors — clustered around suspicious network activity to a DC. Help Net Security's reporting cited specific events the Automox CTO flagged as worth watching: unexpected Netlogon service restarts, anomalous Netlogon traffic from non-DC source addresses, and authentication failures or domain-trust errors immediately following suspicious activity hitting a DC. None of those alone is a confirmation, but together they describe a hunt narrative that fits the exploit's mechanics.

For CISOs, CVE-2026-41089 is a prompt to revisit how domain-controller patch cadence is governed. Netlogon flaws have produced the most consequential Active Directory attack surface of the past five years — Zerologon, PetitPotam, the on-prem ADCS coercion chains — and each of those incidents has demonstrated that the gap between disclosure and exploitation against DCs has shrunk, not grown. That trend is now quantified at the industry level: the Verizon 2026 DBIR found vulnerability exploitation overtook credential theft as the number-one initial-access method for the first time. The structural response is to treat domain-controller patch latency as a Tier 0 program metric that gets reported to the executive team monthly, to ensure DCs are out-of-cycle patchable inside seven days of a critical advisory, and to ensure incident-response retainers and tabletop exercises include forest-takeover scenarios. CCB has not named a threat actor responsible for the observed exploitation, and this account makes no claim about attribution.

The CyberSignal Analysis

Signal 01 — A Netlogon RCE Is a Domain-Compromise Primitive, Not a Server Bug

Most CVE coverage will report CVE-2026-41089 as 'critical Windows Server flaw,' which is technically correct and operationally insufficient. The Netlogon service is not application software running on a server — it is the protocol that defines authentication for the entire Windows domain. Code execution inside that process, on a domain controller, runs at the apex of the trust hierarchy the rest of the network is built on. It is the same architectural position that made Zerologon a five-year touchstone, and it is the reason this flaw belongs in a different priority bucket than a typical critical Patch Tuesday entry. The right framing for executives is not 'patch your servers' but 'patch your domain controllers before someone else becomes Domain Admin in your forest.' That sounds dramatic until you read the CVSS string back: network attack vector, low complexity, no authentication, code execution on a DC.

Signal 02 — 'Less Likely' Was a Vendor Snapshot, Not a Forecast

Microsoft's initial 'less likely to be exploited' rating on CVE-2026-41089 was not an error — it reflected what the vendor knew on May 12, before public reverse-engineering and AI-assisted analysis collapsed the disclosure-to-exploit window. Seventeen days later, a national cybersecurity authority is warning that the same flaw is being exploited in the wild. The lesson is not that vendor ratings are unreliable; it is that those ratings have a half-life, and the half-life is getting shorter. The defender procedure that follows from that is concrete: any critical pre-authentication RCE in a high-trust component — directory services, hypervisor, identity provider — should be patched on its severity profile, not on the vendor's exploitation-likelihood label, because that label was set before the patch was reverse-engineered. The Verizon DBIR's 2026 finding that vulnerability exploitation has overtaken credential theft as the top initial-access method is the long-form version of the same lesson.

Signal 03 — Three Pre-Auth Active-Exploitation Flaws in One Week Is the Pattern, Not the Anomaly

CVE-2026-41089 is the third pre-authentication active-exploitation disclosure inside a single week — alongside the Palo Alto GlobalProtect authentication-bypass zero-day and the FortiClient EMS flaw tied to the EKZ credential-stealer campaign. The products differ — VPN, endpoint-management, directory — but the structural shape is identical: unauthenticated network-reachable flaws in identity- and access-adjacent infrastructure, exploited before defenders finish their first patch cycle. The takeaway for security leaders is to treat 'pre-auth RCE in identity infrastructure' as its own emergency class — separate from the broader patch-management program — with its own runbook, its own paging tree, and its own seven-day deployment SLA. The cluster is not coincidence; it is the operational tempo of the 2026 attack surface, and the patch queue needs to be governed accordingly.

Sources