Windows Netlogon RCE Under Active Exploitation — Domain Controllers at Risk

CVE-2026-41089, a critical remote code execution vulnerability in Windows Netlogon (CVSS 9.8), is now being actively exploited in the wild. Belgium's Centre for Cybersecurity (CCB) issued a public warning on Friday confirming in-the-wild exploitation and urging immediate patching of domain controllers.

Netlogon is the core Windows Server service responsible for authenticating users and computers in Active Directory domain environments. The vulnerability is a stack-based buffer overflow that allows an unauthenticated attacker on the network to execute arbitrary code with SYSTEM privileges on domain controllers. SYSTEM on a DC means full control of the entire domain: all accounts, Group Policy, trust relationships, and Kerberos keys.

Microsoft patched this in the May 2026 Patch Tuesday (KB updates for all supported Windows Server versions, including Server 2025). But many organisations have not yet applied those patches, and the window between Patch Tuesday and active exploitation has now closed. The CCB's advisory states the information came from "trusted partners," and while Microsoft told BleepingComputer it has no evidence of exploitation, the Belgian national authority considered the threat credible enough to issue a public warning.

This is not a theoretical risk. A domain controller under attacker control is the worst-case scenario for any Active Directory environment: it enables Golden Ticket attacks, persistent backdoors, full data exfiltration, and lateral movement to every system in the domain. Patching domain controllers is operationally sensitive, but the alternative is accepting domain-wide compromise.

Context

This is the latest escalation in a sustained wave of VPN and perimeter exploitation. The same week saw active exploitation of Check Point VPN (CVE-2026-50751, CVSS 9.3, Qilin ransomware) and the addition of multiple critical entries to the CISA KEV catalog. The threat actor behind the Check Point exploitation is assessed as likely exploiting Palo Alto, Fortinet, and F5 VPN vulnerabilities as well.

CVE-2026-41089 is also part of a pattern of Microsoft zero-day and near-zero-day disclosure by researcher "Nightmare Eclipse," who has been publicly releasing proof-of-concept exploits for Windows vulnerabilities including BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), GreenPlasma (CVE-2026-45586), YellowKey (CVE-2026-45585), and UnDefend (CVE-2026-45498). Multiple of these are now under active exploitation. No PoC has been published for CVE-2026-41089 yet, but the barrier to weaponisation for a Netlogon stack overflow is low for experienced attackers.

Also This Week: Cisco Unified CM

Cisco patched CVE-2026-20230, a critical SSRF-to-root vulnerability in Unified Communications Manager (CVSS 8.6 base, but Cisco rates it Critical due to full root escalation). A proof-of-concept exploit is already public. The flaw requires WebDialer to be enabled (off by default), but any deployment with it active is at immediate risk. Unified CM has a history of critical unauthenticated flaws, including a hard-coded root SSH account patched last year (CVE-2025-20309, CVSS 10). For the 15.x train, the full fix is not due until September, leaving organisations on interim patches for months with a public PoC available.

So What / Action

Patch domain controllers now. The May 2026 Patch Tuesday fixes for CVE-2026-41089 are the only remediation. If you cannot patch immediately, restrict Netlogon RPC access at the network level (block TCP 135 and dynamic RPC ports from untrusted networks) and enforce RPC signing. Check domain controller logs for anomalous Netlogon activity. If you are running Cisco Unified CM with WebDialer enabled, disable it immediately or apply the 14SU6 patch. Assume that any delay in patching DCs will be exploited.