– Attackers are actively exploiting CVE-2026-41089, a critical Windows Netlogon vulnerability (CVSS 9.8) patched May 12 but initially assessed by Microsoft as “exploitation less likely.”
– The exploit requires no credentials, user interaction, or prior access, giving attackers SYSTEM-level code execution on domain controllers—effectively full Active Directory domain compromise.
– The Centre for Cybersecurity Belgium issued an exploitation warning on May 29, 17 days after the patch, meaning organizations on a 30-day patch cycle are currently exposed.
– Apply the May 12 cumulative update immediately if not already deployed; isolate domain controllers from direct internet access and restrict Netlogon traffic to authenticated internal sources.
– June 9 is the next Patch Tuesday and the final update window before the June 24-27 Secure Boot certificate expiration, adding urgency to completing the May rollout.
Attackers are actively exploiting a critical Windows Netlogon vulnerability
This is a thing that Microsoft patched three weeks ago and they said it was unlikely to be exploited, but now attackers are exploiting it. The Centre for Cybersecurity Belgium issued an exploitation warning on May 29, raising the risk profile for every unpatched Windows Server environment running as a domain controller. While Microsoft stated on June 1 that it is still validating those claims and has not yet updated its MSRC portal, security teams are urged not to wait.
CVE-2026-41089 is a stack-based buffer overflow
CVE-2026-41089 is a stack-based buffer overflow in the Netlogon service with a CVSS score of 9.8. An unauthenticated remote attacker sends a crafted network request to a Windows Server acting as a domain controller. If successful, the Netlogon service mishandles the request, allowing the attacker to execute arbitrary code with SYSTEM privileges. No credentials. No user interaction. No prior access needed.
Microsoft patched CVE-2026-41089 on May 12
Microsoft patched CVE-2026-41089 on May 12 as part of its May Patch Tuesday, which addressed 138 CVEs total. Despite the 9.8 severity rating, Redmond assessed the flaw as “exploitation less likely” at the time of release. That gap between official assessment and real-world threat reports is exactly what is catching enterprise security teams off guard.
The CCB advisory came 17 days after the patch dropped
The CCB advisory came 17 days after the patch dropped. That is well within the window that many enterprise patch cycles operate. Organisations that treat Patch Tuesday updates as a 30-day rollout schedule rather than an immediate priority are currently exposed.
Domain controllers are the authentication backbone
Domain controllers are the authentication backbone of Active Directory environments. Successful exploitation of CVE-2026-41089 gives an attacker SYSTEM-level code execution on the domain controller itself, which in practice means full control of the Active Directory domain, the ability to create privileged accounts, and lateral movement across every system that authenticates against that controller.
Jack Bicer, director of vulnerability research at Action1
Jack Bicer, director of vulnerability research at Action1, flagged the flaw at patch time: “This CVE requires immediate attention. Successful attacks may lead to widespread endpoint compromise, ransomware deployment, credential harvesting, and operational disruption across corporate networks.”
- Apply the May 12 cumulative update immediately if it has not been deployed
- The fix is included in the standard Windows Server update for all supported versions
- Isolate domain controllers from direct internet exposure
- Restrict Netlogon traffic to authenticated internal sources only
- June 9 is the next Patch Tuesday and the final update window before the June 24-27 Secure Boot certificate expiration window, which adds further urgency to completing the May rollout before that date