CVSS 9.8
Critical severity score for CVE-2026-41089, reflecting unauthenticated remote code execution with no user interaction required on Windows domain controllers
0 credentials required
Authentication barrier to exploiting CVE-2026-41089: attackers need only network access to a domain controller's Netlogon RPC interface to trigger SYSTEM-level code execution
Server 2008 R2 to 2025
All Windows Server versions with the Active Directory Domain Services role affected by CVE-2026-41089, covering every domain controller across the full enterprise server lifecycle
June 1, 2026
Date Belgium's Centre for Cybersecurity confirmed active exploitation of CVE-2026-41089 in the wild, 20 days after Microsoft's May Patch Tuesday patch release

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

CVE-2026-41089 is a CVSS 9.8 stack-based buffer overflow in Windows Netlogon with confirmed active exploitation in the wild as of June 1, 2026, handing unauthenticated attackers SYSTEM-level remote code execution on any domain controller running Windows Server 2012 R2 through 2025.

Windows Netlogon RCE CVE-2026-41089 is a pre-authentication vulnerability in the Netlogon Remote Protocol, the service Windows domain controllers use to process authentication requests and manage domain trust operations across Active Directory environments. An attacker with network access to a domain controller's Netlogon RPC interface sends a specially crafted packet that triggers a stack-based overflow in the service's memory space. No credentials, no user interaction, and no local access are required. The vulnerability earns its CVSS 9.8 score because authentication infrastructure has no friction point between an internet-accessible exploit and SYSTEM-level code execution on the targeted server.

The blast radius defines the urgency. Domain controllers are the authentication backbone of every Windows Active Directory environment. A successful compromise gives an attacker SYSTEM-level access on the DC, the ability to extract the NTDS.dit credential database containing hashes for every domain account, the power to create or modify domain administrator accounts, and Group Policy control over every joined workstation and server in the domain. An attacker who gains a foothold on a single unpatched domain controller can own an entire organization in minutes.

Belgium's Centre for Cybersecurity (CCB) confirmed active exploitation on June 1, 2026, three weeks after Microsoft's May 2026 Patch Tuesday addressed this flaw. Proof-of-concept exploit code has been shared publicly by security researchers. Any organization operating unpatched domain controllers today is facing active attacks targeting this vulnerability right now.

How Does Windows Netlogon RCE Work?

CVE-2026-41089 is a stack-based buffer overflow in the Windows Netlogon Remote Protocol implementation, the protocol domain controllers use to process authentication requests and replicate security data between DCs. The flaw exists in the Netlogon service's handling of inbound RPC requests: a specially crafted packet with a malformed length field causes the service to write data beyond its allocated stack buffer, overwriting the return address on the call stack.

Because the Netlogon RPC interface is exposed by design on every domain controller, no authentication is required to reach the vulnerable code path. An unauthenticated attacker who can send a TCP packet to port 445 on a domain controller has everything needed to trigger the overflow. Microsoft's Windows Attack Research and Protection (WARP) team discovered the flaw internally, meaning no external researcher disclosed a weaponizable technique before the patch, but the flaw's location in the well-understood MS-NRPC protocol made exploitation practical once the patch was reversed by the research community.

The "0-click" designation reflects the absence of any required victim interaction. Traditional network-based vulnerabilities often require a privileged account to connect first, or a user to click a malicious link. CVE-2026-41089 requires neither. An attacker targeting a domain controller sends a crafted Netlogon RPC packet and receives a SYSTEM shell in return.

Microsoft's internal security team confirmed that remote code execution is achievable before public disclosure, explaining the Critical designation and the decision to patch in May 2026 Patch Tuesday, which addressed 138 total vulnerabilities. For organizations that need to understand how attackers chain vulnerabilities to reach domain controllers in multi-step intrusions, see the CVE-2026-41091 Microsoft Defender zero-day patch advisory, which documents how privilege escalation flaws serve as stepping stones toward AD compromise. CVE-2026-41089 eliminates those stepping stones entirely.

Which Windows Server Versions Are Affected by CVE-2026-41089?

CVE-2026-41089 affects every currently supported version of Windows Server that can be configured as a domain controller, from Windows Server 2008 R2 through Windows Server 2025. The affected component is the Netlogon service present in all Windows Server Standard and Datacenter editions across all supported release channels.

Microsoft released patches for all supported versions in the May 2026 Patch Tuesday update cycle. Domain controllers running Windows Server 2022 should install KB5058411; Server 2025 DCs should install KB5058385. For Windows Server 2019, 2016, and 2012 R2 systems, the corresponding cumulative updates from May 2026 include the Netlogon fix. ACROS Security (0patch) released micropatches for legacy Server 2008 R2 systems under Extended Security Updates where Microsoft's full update cycle cannot be applied immediately.

Non-domain controller servers running Windows Server are not directly exploitable via CVE-2026-41089 in the same way. The vulnerable attack surface is specific to servers with the Active Directory Domain Services role enabled. Read-only domain controllers (RODCs) are also in scope: while they cannot originate domain-wide changes, a compromised RODC gives an attacker an authenticated foothold and full visibility into domain topology.

Organizations with multiple domain controllers across geographically distributed sites face compounded risk: Active Directory replication means a compromise of a single unpatched DC can propagate malicious changes to all other DCs in the domain within minutes. Half-patched Active Directory forests are not a defensible posture for a pre-authentication domain controller exploit.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Who Is Exploiting CVE-2026-41089 Right Now?

Belgium's Centre for Cybersecurity (CCB) updated its May 2026 Patch Tuesday advisory on May 29, 2026, confirming that attackers are actively exploiting CVE-2026-41089 in the wild. No specific threat actor group has been publicly attributed at the time of this writing, which is consistent with early-stage exploitation where multiple actors independently develop capabilities after reversing the security patch.

The exploitation timeline follows a pattern seen repeatedly across 2026: Microsoft patches a critical vulnerability in Patch Tuesday, proof-of-concept code appears on security research platforms within days, and active exploitation targeting unpatched internet-connected systems begins within two to three weeks of the patch release. CVE-2026-41089 followed this pattern exactly. The Belgian national cybersecurity authority's advisory marks formal public acknowledgment that both opportunistic scanning and targeted exploitation are underway.

The exploit profile makes this vulnerability particularly valuable to ransomware affiliates and initial access brokers operating in 2026. A 0-click pre-authentication RCE against a domain controller eliminates the phishing, credential theft, and lateral movement stages that normally precede Active Directory compromise. An attacker who reaches a vulnerable DC over the network completes what would otherwise be a multi-week intrusion chain in a single exploit step.

The CCB advisory recommends that organizations force MFA for administrator sessions, segment networks to restrict Netlogon RPC access to authorized source addresses, monitor Netlogon RPC activity for anomalous traffic patterns, and test patches in a lab before wide rollout. Given confirmed active exploitation, the lab testing window should be measured in hours, not days.

Attackers are now actively exploiting the CVE-2026-41089 security flaw in the wild.

Centre for Cybersecurity Belgium (CCB), June 1, 2026

Indicators of Compromise: Signs Your Domain Controller Was Targeted

No threat-actor-specific IOCs such as infrastructure IPs, malicious domains, or file hashes have been publicly released as of June 2, 2026, which reflects the early stage of attribution reporting for this exploitation campaign. Security teams should focus on behavioral detection rather than signature-based IOC matching for CVE-2026-41089.

Review the Windows Event Viewer System log on each domain controller for Event ID 7031 or 7034, which indicate the Netlogon service crashed or restarted unexpectedly. On a healthy, unattacked domain controller the Netlogon service runs continuously without restarts. Unexpected crashes immediately preceding or following anomalous inbound network activity are a strong exploitation indicator.

Network-layer detection should alert on inbound Netlogon RPC connections from source IP addresses outside the known domain controller subnet range. The Netlogon service should only receive connections from domain members and other DCs, not arbitrary internet or DMZ addresses. Any non-DC source initiating Netlogon RPC sessions warrants immediate investigation.

Post-exploitation indicators include new domain administrator account creation captured in Windows Security Event IDs 4720 and 4728 in combination, unexpected process execution under the SYSTEM account on a domain controller captured in Event ID 4688, and Group Policy modifications that were not initiated through authorized change management channels. Security teams running a SIEM should create detection rules for these event combinations today.

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

How to Patch CVE-2026-41089 on Domain Controllers Before End of Day

The only confirmed effective remediation for CVE-2026-41089 is applying Microsoft's May 2026 Patch Tuesday cumulative updates to every domain controller in the same maintenance window. Patching some DCs while leaving others unpatched is not a defensible posture for a pre-authentication DC vulnerability: AD replication means an attacker who compromises a single unpatched DC can propagate malicious changes to patched DCs through normal domain replication within minutes.

For organizations that cannot patch today due to change management requirements, an emergency mitigating control is available: restrict inbound connections to TCP port 445 on domain controllers using Windows Firewall host-based rules, limiting Netlogon RPC access to source IP addresses in the known domain controller subnet only. This reduces the attack surface but is not a substitute for patching and must be treated as a 24-hour bridge control.

Organizations running Windows Server versions not covered by Microsoft's standard patch cycle should check ACROS Security's 0patch platform for micropatches covering legacy Server 2008 R2 and 2012 systems under Extended Security Updates. For additional context on the current Windows vulnerability landscape, see the BlueHammer RedSun Windows LPE zero-day weekly roundup for the prior wave of active Microsoft exploits.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Why Windows Netlogon RCE CVE-2026-41089 Matters for Your Organization

CVE-2026-41089 does not affect one application or one department's data. Active Directory is the identity fabric that every other system in the network authenticates against. A successful domain controller compromise grants an attacker control over the entire organization's identity infrastructure, not just one server.

The attack path comparison clarifies the risk magnitude. Most ransomware intrusions in 2026 require phishing a user to gain initial access, running privilege escalation tooling to reach an admin account, moving laterally through the network, and then targeting a domain controller as the final objective. CVE-2026-41089 eliminates every step except the initial network access. An attacker with reachability to a domain controller completes what would otherwise be a multi-week intrusion chain in a single exploit packet.

This vulnerability also highlights a structural risk in many organizations' patch management practices: endpoint and web application patches are applied within days of release, but domain controller patching runs on longer validation cycles out of caution for AD stability. That caution is understandable for routine patches, but CVSS 9.8 pre-authentication domain controller RCEs with confirmed active exploitation require the same emergency response timeline as internet-exposed application vulnerabilities. The May 2026 Patch Tuesday update addressing this flaw has been available for three weeks. Any DC still unpatched today is running a known-exploitable configuration against confirmed active attackers.

Belgium's CCB advisory and BleepingComputer's coverage both confirm exploitation is no longer theoretical. The combination of publicly available proof-of-concept code and confirmed attacker activity means every day without the patch is a day of measurable exposure. For organizations with distributed AD forests, every unpatched DC in every site is an independent entry point into the same domain. Patch them all before end of day.

The bottom line

Windows Netlogon RCE CVE-2026-41089 with CVSS 9.8 is actively exploited against domain controllers running Windows Server 2012 R2 through 2025 as of June 1, 2026. Three key facts: it requires zero authentication, it targets the authentication backbone of every Windows network, and patches have been available since May 12, 2026. The one concrete action for today: run Get-ADDomainController -Filter * to enumerate every DC in your environment, confirm KB5058411 (Server 2022) or KB5058385 (Server 2025) is installed on each one, and deploy the May 2026 cumulative update to any DC that is missing the patch before end of business.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is CVE-2026-41089?

CVE-2026-41089 is a critical stack-based buffer overflow in the Windows Netlogon Remote Protocol with a CVSS score of 9.8. The flaw allows an unauthenticated attacker with network access to a domain controller to achieve SYSTEM-level remote code execution by sending a specially crafted Netlogon RPC request. All Windows Server versions from 2008 R2 through 2025 are affected. Microsoft patched this in May 2026 Patch Tuesday, and Belgium's Centre for Cybersecurity confirmed active exploitation in the wild on June 1, 2026.

How does CVE-2026-41089 exploit the Windows Netlogon service?

CVE-2026-41089 exploits a stack-based buffer overflow in the Netlogon RPC handler on domain controllers. A crafted Netlogon request supplies a value larger than the fixed-size stack buffer, overwriting the stack return address with attacker-controlled data. When the vulnerable function returns, execution jumps to the attacker's code. The Netlogon RPC interface is exposed by design on every domain controller, so no prior authentication, local access, or user interaction is needed to trigger the overflow and achieve SYSTEM-level code execution.

Which Windows Server versions are affected by CVE-2026-41089?

CVE-2026-41089 affects all Windows Server versions that can act as a domain controller: Server 2008 R2, 2012, 2012 R2, 2016, 2019, 2022, and 2025, in Standard and Datacenter editions. The vulnerability is in the Netlogon service present in all editions. Servers not running the Active Directory Domain Services role are not directly exploitable via this path, but any server with the ADDS role enabled, including read-only domain controllers, is in scope.

Is CVE-2026-41089 patched by Microsoft?

Yes. Microsoft released patches for all affected Windows Server versions in the May 2026 Patch Tuesday cycle on May 12, 2026. Windows Server 2022 domain controllers should install KB5058411; Server 2025 DCs should install KB5058385. Server 2019, 2016, and 2012 R2 updates are available via Microsoft Update Catalog. ACROS Security released 0patch micropatches for legacy Server 2008 R2. Verify installation on each DC by running Get-HotFix in PowerShell and confirming the appropriate KB number is present.

Does CVE-2026-41089 require authentication or user interaction to exploit?

No. CVE-2026-41089 is a pre-authentication, 0-click vulnerability. It requires no credentials, no user interaction, and no local access on the target domain controller. The only prerequisite is network reachability to the domain controller's Netlogon RPC service on TCP port 445 or the RPC endpoint mapper on port 135. This is why the vulnerability received a CVSS 9.8 score: the attack path is a single crafted network packet from any reachable source to SYSTEM-level code execution on the targeted DC.

How can I detect active exploitation of CVE-2026-41089 on my domain controllers?

Detection relies on behavioral indicators because no public threat-actor IOCs are available. Monitor for Windows Event ID 7031 or 7034 indicating Netlogon service crash or restart in System logs, Event ID 4688 showing unexpected SYSTEM-context processes on a DC, and Event IDs 4720 plus 4728 indicating new domain admin account creation without authorized change records. Network-layer monitoring should alert on Netlogon RPC connections from source IPs outside the known DC subnet. Create SIEM rules for these event combinations immediately.

What is the blast radius if a domain controller is compromised via CVE-2026-41089?

A successful compromise via CVE-2026-41089 gives the attacker SYSTEM-level access on the domain controller and full administrative control over the Active Directory domain. The attacker can extract the NTDS.dit database containing password hashes for every domain account, create or modify domain administrator accounts, push malicious Group Policy Objects to every joined workstation and server, disable endpoint security controls domain-wide, and replicate their access to other DCs through normal AD replication. A single compromised DC leads to full domain compromise within minutes.

Is CVE-2026-41089 in the CISA Known Exploited Vulnerabilities catalog?

CISA KEV catalog status for CVE-2026-41089 has not been publicly confirmed as of June 2, 2026. However, Belgium's Centre for Cybersecurity confirmed active exploitation on June 1, 2026, and CISA typically adds vulnerabilities to the KEV catalog within 48 to 72 hours of confirmed exploitation reports from national cybersecurity authorities. Organizations should treat a CISA KEV addition as imminent and apply the May 2026 Patch Tuesday updates to all domain controllers immediately without waiting for the formal catalog update.

Sources & references

  1. BleepingComputer, Critical Windows Netlogon RCE flaw now exploited in attacks
  2. Help Net Security, Windows Netlogon RCE exploited, domain controllers at risk
  3. CyberSecurityNews, Windows Netlogon 0-Click RCE Vulnerability Now Actively Exploited
  4. The Hacker News, Microsoft Patches 138 Vulnerabilities Including DNS and Netlogon RCE Flaws

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.