Critical Windows Netlogon Bug CVE-2026-41089 Now Exploited in the Wild

Attackers are now actively exploiting a critical Windows Netlogon vulnerability patched by Microsoft earlier this year, according to a warning issued by the Centre for Cybersecurity Belgium (CCB).

The flaw, tracked as CVE-2026-41089, affects Windows Server domain controllers and could allow remote code execution without authentication. Microsoft addressed the issue during its May 2026 Patch Tuesday updates, including the Windows 11 May 2026 Patch Tuesday update KB5089549, but Belgium’s cybersecurity authority says exploitation attempts are already occurring in the wild.

What Is CVE-2026-41089?

Netlogon is a core Windows Server service used in Active Directory environments to authenticate users, devices, and services across domain-based networks. Because the service operates on domain controllers, vulnerabilities affecting Netlogon can pose a major risk to enterprise infrastructure.

Microsoft assigned CVE-2026-41089 a critical CVSS 3.1 severity score of 9.8 and described it as a stack-based buffer overflow vulnerability in Windows Netlogon.

How the Vulnerability Works

According to Microsoft’s advisory, an attacker could exploit the flaw by sending a specially crafted network request to a vulnerable Windows domain controller. Successful exploitation could allow remote code execution, potentially giving attackers control over affected systems.

Importantly, the attack does not require authentication. An attacker would not need valid credentials or prior access to the environment to attempt exploitation.

The vulnerability impacts all supported Windows Server versions, including Windows Server 2025.

Belgium Warns of Active Exploitation

The Centre for Cybersecurity Belgium urged organizations to deploy patches immediately, especially on domain controllers, which should be treated as the highest priority systems due to their role in authentication and identity management.

While the Belgian agency confirmed active exploitation, it did not release technical details about the attacks or identify the threat actors involved.

Microsoft has not yet updated its own advisory to officially confirm exploitation activity.

Security experts generally consider Netlogon vulnerabilities especially dangerous because compromising a domain controller can enable attackers to move laterally across networks, escalate privileges, deploy ransomware, or steal credentials from enterprise environments.

Recommended Actions for Organizations

Organizations are advised to install the May 2026 Windows security updates as soon as possible and monitor for suspicious authentication attempts, unusual domain controller behavior, and abnormal network activity tied to Netlogon services.

In other Microsoft-related news, the company recently resolved a My Sign-Ins outage that blocked MFA setup, warned users about an ongoing GPU cryptojacking campaign spread through AI chatbot links, and explained what will happen to PCs that miss Secure Boot certificate updates.

Via BleepingComputer