A critical vulnerability in the Windows Netlogon service, tracked as CVE-2026-41089, is now being actively exploited in the wild. The flaw affects Windows Server systems functioning as domain controllers and carries a CVSS score of 9.8. Successful exploitation allows an attacker to execute arbitrary code with SYSTEM privileges without needing credentials, user interaction, or prior network access.
Microsoft addressed the issue on May 12 as part of its monthly Patch Tuesday release, which patched a total of 138 CVEs. Initially, the company rated the likelihood of exploitation as low. But on May 29, Belgium's Cybersecurity Center warned of active attacks, and by June 1, Microsoft confirmed it was still investigating the reports and had not yet updated the MSRC portal.
The severity of CVE-2026-41089 stems from the critical role domain controllers play in Active Directory. Netlogon handles essential authentication mechanisms, and compromising a domain controller effectively hands an attacker full control over the entire domain environment. This can lead to the creation of privileged accounts, data theft, ransomware deployment, and lateral movement across the corporate network.
The vulnerability is a stack-based buffer overflow. An attacker simply sends a specially crafted network request to a domain controller. If the system hasn't been updated, the Netlogon service may mishandle the request, allowing code execution with maximum system privileges.
Experts urge organizations not to wait for further confirmation and to immediately apply the cumulative Windows Server update from May 12 if it hasn't been deployed already. They also recommend restricting access to domain controllers from external networks and allowing Netlogon traffic only from trusted internal sources. For companies that typically delay patching for 30 days, this vulnerability is especially dangerous—the window between the patch release and reports of exploitation has already proven alarmingly short.