Microsoft patched CVE-2026-41089 in the Patch Tuesday released on May 12, 2026. It sits in Netlogon, the service domain controllers use to authenticate machines and users inside Active Directory. It carries a CVSS score of 9.8, about as high as the scale goes, and a few weeks later it stopped being a theoretical risk: the Centre for Cybersecurity Belgium warned it was already being used in real attacks against domain controllers.
What actually breaks
The flaw is a stack-based buffer overflow inside Netlogon. An attacker sends a specially crafted network request to a server acting as a domain controller and uses it to overwrite stack memory, ending up running their own code.
What makes it nasty is what you don’t need to pull it off. No credentials, no account, no prior sign-in. You just need to reach the Netlogon service over the network. Get that far and you can end up executing code with SYSTEM privileges, which on a domain controller means control over the whole Active Directory domain: users, machines, policies and credentials.
Who it affects
All supported Windows Server versions acting as a domain controller, including Windows Server 2025. The role is what matters here, not so much the edition: a domain controller exposes Netlogon by design, so the service is sitting there listening.
In most networks domain controllers shouldn’t be reachable from the internet, which cuts the risk of a purely external attack. The real danger is lateral movement. For an attacker who has already landed on any machine on the internal network — a laptop compromised through phishing, say — this flaw is a way to jump straight to the domain controller and grab the keys to the kingdom.
Severity and exploitation
The bug was found by Microsoft’s own offensive team (Windows Attack Research & Protection), not an outside actor, so the patch shipped before there was any known public exploitation. That changed in late May 2026, when the Centre for Cybersecurity Belgium confirmed, based on warnings from trusted partners, that the vulnerability was already being exploited against domain controllers.
The combination is what worries people: remote, unauthenticated, CVSS 9.8, full domain control and confirmed active exploitation. Given how Netlogon works and the track record of similar flaws in this service, treat it as top priority.
How to protect yourself
Apply the May 2026 security updates to every domain controller. Patching one isn’t enough: as long as a single controller stays unpatched, the domain remains exposed. If you still have systems you haven’t updated, install the latest security updates now.
While you roll out the patches, check that domain controllers aren’t reachable from networks that don’t need to talk to them, and keep Netlogon access scoped to the minimum. Review logs for unusual requests to the service, especially if your network has already shown signs of intrusion.
If you run a Windows Server environment with Active Directory, this flaw fits the pattern of other recent zero-days against the server role, such as the privilege escalation to SYSTEM in Remote Desktop Services (CVE-2026-21533). Keeping your patch cadence current is still the most effective defence.
Source
- BleepingComputer: Critical Windows Netlogon remote code execution flaw now exploited in attacks
- NVD: CVE-2026-41089