Author: Sergiu Gatlan
Published: June 1, 2026
Source: https://www.bleepingcomputer.com/news/microsoft/critical-windows-netlogon-remote-code-execution-flaw-now-exploited-in-attacks/
Summary
BleepingComputer reports that CVE-2026-41089, a critical remote code execution vulnerability in the Windows Netlogon RPC interface, is now being exploited in attacks according to Belgium’s Centre for Cybersecurity (CCB). Rated CVSS 9.8, the flaw affects Windows servers acting as domain controllers and can be triggered by an unauthenticated attacker over the network. Microsoft patched it during the May 2026 Patch Tuesday. Notably, the two sources disagree on exploitation: the CCB confirmed active exploitation in the wild as of June 1, 2026 based on information from trusted partners, while Microsoft stated it had no evidence to support active exploitation but still urged immediate patching.
Technical Details
According to the article, CVE-2026-41089 is a stack-based buffer overflow in the Windows Netlogon RPC interface. The root cause is improper handling of specially crafted network requests sent to a domain controller. An attacker can send such a request to a Windows server acting as a domain controller and potentially run code on the system without needing to sign in or have prior access — i.e., unauthenticated, network-based remote code execution. The vulnerability was discovered internally by Microsoft’s WARP team. The article does not include proof-of-concept or exploit-chain details, and none are reproduced here.
CVE: CVE-2026-41089.
CVSS: 9.8 (critical).
Affected: All currently supported Windows Server versions, including Windows Server 2025 (the report frames the risk in terms of servers acting as domain controllers).
Impact
Successful exploitation would give an unauthenticated remote attacker code execution on a domain controller — among the highest-value targets in a Windows environment, since control of a DC typically translates to control of the domain. The article states the CCB confirmed active exploitation in the wild as of June 1, 2026, attributing the information to trusted partners; Microsoft, by contrast, said it had no evidence supporting active exploitation. No specific threat-actor attribution is given in the source.
Mitigation
Microsoft patched CVE-2026-41089 in the May 2026 Patch Tuesday release; applying that update is the primary remediation, and both Microsoft and the CCB recommend patching immediately. Organizations running domain controllers should prioritize the update given the unauthenticated, network-exploitable nature of the flaw. The article does not list a specific KB number or a separate workaround beyond applying the May 2026 updates.
References
- Critical Windows Netlogon RCE flaw now exploited in attacks
- Microsoft Security Advisory — CVE-2026-41089
- CCB (Belgium) advisory — May 2026 Patch Tuesday
- Microsoft May 2026 Patch Tuesday fixes 120 flaws
- Microsoft shares mitigation for YellowKey Windows zero-day (CVE-2026-45585)
- Disgruntled researcher leaks BlueHammer Windows zero-day (CVE-2026-33825)
- New Microsoft Defender RedSun zero-day PoC (CVE-2026-41091)
- Recently leaked Windows zero-days now exploited in attacks