Threat actors are exploiting a critical-severity Windows Netlogon vulnerability for remote code execution, Centre for Cybersecurity Belgium (CCB) warns.
Tracked as CVE-2026-41089 (CVSS score of 9.8), the security defect was publicly disclosed on May 12, when Microsoft patched it along with 136 other bugs as part of its Patch Tuesday security updates.
According to Redmond’s advisory, the flaw is a stack-based buffer overflow issue that could be exploited via crafted network requests.
Unauthenticated attackers can exploit the security weakness by targeting a Windows server acting as a domain controller, Microsoft’s advisory revealed.
“If successful, this could cause the Netlogon service to improperly handle the request, potentially allowing the attacker to run code on the affected system without needing to sign in or have prior access,” the advisory reads.
Roughly a dozen of the vulnerabilities Microsoft resolved with the May 2026 Patch Tuesday updates were flagged as likely to be exploited in attacks, but CVE-2026-41089 was not one of them.
On Friday, CCB warned that threat actors have been actively exploiting the security defect in the wild, urging immediate patching.
“It is now actively exploited in the wild,” CCB notes, explaining that remote attackers could leverage it to execute arbitrary code with System privileges.
At the time of publication, there have been no other reports of the vulnerability being exploited in attacks, and Microsoft has not updated its advisory to flag the exploitation. SecurityWeek has emailed the company for a statement and will update this article if it responds.
Organizations are advised to patch CVE-2026-41089 as soon as possible, given its severity, the potential ongoing exploitation, and Windows Netlogon’s history of being in attackers’ crosshairs.
The Netlogon service is a core background service that handles authentication on domain-based networks, and critical bugs in it could provide attackers with control over the Domain Controller and the machines connecting to it.
Related: 19-Year-Old Linux Kernel Vulnerability Exposes Systems to Root Access
Related: Recent Palo Alto Networks Vulnerability Exploited for Weeks
Related: Exploit Code Published for Critical Flowise RCE Vulnerability
Related:Gogs Zero-Day Exposes Servers to Remote Code Executio
