Critical Windows Netlogon RCE Vulnerability Reportedly Exploited in Active Attacks

The Centre for Cybersecurity Belgium (CCB), Belgium’s national cybersecurity authority, has warned that threat actors are actively exploiting a recently patched critical vulnerability affecting Windows Netlogon.

Netlogon is a core Microsoft Windows Server service and Remote Procedure Call interface used to authenticate users and services in Windows domain-based environments. Because it plays a central role in domain authentication, vulnerabilities affecting Netlogon can present serious risks to enterprise networks.

The vulnerability, tracked as CVE-2026-41089, was addressed by Microsoft as part of its May 2026 Patch Tuesday updates. Microsoft described the issue as a stack-based buffer overflow in Windows Netlogon that could allow an unauthenticated attacker to achieve remote code execution on a targeted domain controller.

According to Microsoft’s advisory, an attacker could exploit the flaw by sending a specially crafted network request to a Windows server operating as a domain controller. If successful, the vulnerability could cause the Netlogon service to improperly process the request, potentially allowing the attacker to execute code on the affected system without valid credentials or prior access.

CVE-2026-41089 affects all currently supported versions of Windows Server, including Windows Server 2025. Microsoft stated that the vulnerability was discovered by its Windows Attack Research & Protection team, an internal offensive security and engineering research group.

On Friday, the CCB warned that the vulnerability is now being actively exploited in the wild and urged administrators to apply the available security updates as soon as possible.

“CVE-2026-41089 in Windows Netlogon is now actively exploited in the wild and could lead to remote code execution. CVSS 3.1: 9.8. Patch as quickly as possible,” the CCB stated.

At the time of reporting, the CCB had not provided additional technical details regarding the observed attacks. Microsoft had also not yet updated its advisory to confirm active exploitation.

Because this vulnerability affects domain controllers and can be exploited without authentication, organizations should prioritize patching immediately. Administrators should review all exposed and internal Windows Server systems, confirm that May 2026 security updates have been applied, and monitor domain controller logs for unusual authentication or Netlogon-related activity.

This advisory follows several recent Windows security disclosures, including vulnerabilities affecting BitLocker, Microsoft Defender, and privilege escalation flaws reportedly disclosed by the researcher known as “Nightmare Eclipse.” Some of those vulnerabilities have also reportedly been observed in active attacks.

Given the severity of CVE-2026-41089 and its potential impact on domain infrastructure, IT and security teams should treat this as a high-priority remediation item.