Vulnerabilities

Critical Windows Netlogon Vulnerability in Attackers’ Crosshairs

Organizations are advised to patch CVE-2026-41089 as soon as possible, given its severity, the potential ongoing exploitation.

Organizations are advised to patch CVE-2026-41089 as soon as possible, given its severity, the potential ongoing exploitation.

Threat actors are exploiting a critical-severity Windows Netlogon vulnerability for remote code execution, Centre for Cybersecurity Belgium (CCB) warns.

Tracked as CVE-2026-41089 (CVSS score of 9.8), the security defect was publicly disclosed on May 12, when Microsoft patched it along with 136 other bugs as part of its Patch Tuesday security updates.

According to Redmond’s advisory, the flaw is a stack-based buffer overflow issue that could be exploited via crafted network requests.

Unauthenticated attackers can exploit the security weakness by targeting a Windows server acting as a domain controller, Microsoft’s advisory revealed.

“If successful, this could cause the Netlogon service to improperly handle the request, potentially allowing the attacker to run code on the affected system without needing to sign in or have prior access,” the advisory reads.

Roughly a dozen of the vulnerabilities Microsoft resolved with the May 2026 Patch Tuesday updates were flagged as likely to be exploited in attacks, but CVE-2026-41089 was not one of them.

Advertisement. Scroll to continue reading.

On Friday, CCB warned that threat actors have been actively exploiting the security defect in the wild, urging immediate patching.

“It is now actively exploited in the wild,” CCB notes, explaining that remote attackers could leverage it to execute arbitrary code with System privileges.

At the time of publication, there have been no other reports of the vulnerability being exploited in attacks, and Microsoft has not updated its advisory to flag the exploitation.

Organizations are advised to patch CVE-2026-41089 as soon as possible, given its severity, the potential ongoing exploitation, and Windows Netlogon’s history of being in attackers’ crosshairs.

The Netlogon service is a core background service that handles authentication on domain-based networks, and critical bugs in it could provide attackers with control over the Domain Controller and the machines connecting to it.

Responding to a SecurityWeek inquiry, Microsoft said it has found no evidence to support CCB’s claims.

“We recommend customers follow CVE-2026-41089 guidance and install the latest security updates for unpatched systems to protect against this vulnerability,” a Microsoft spokesperson said.

*Updated with statement from Microsoft.

Related: 19-Year-Old Linux Kernel Vulnerability Exposes Systems to Root Access

Related: Recent Palo Alto Networks Vulnerability Exploited for Weeks

Related: Exploit Code Published for Critical Flowise RCE Vulnerability

Related: Gogs Zero-Day Exposes Servers to Remote Code Execution

Related Content

Vulnerabilities

The critical-severity security defect allows remote, authenticated attackers to execute arbitrary code on the server.

Vulnerabilities

The flaws could allow attackers to access credentials and data, take over accounts, and escalate their privileges.

Endpoint Security

The cybersecurity companies patched critical and high-severity vulnerabilities in some of their products.

Artificial Intelligence

An attacker can create a malicious repository containing a git.exe in the project root, and Cursor executes it automatically.

Vulnerabilities

A critical security defect in the ServiceNow AI platform could allow remote attackers to execute arbitrary code.

Vulnerabilities

Public exploit code targeting the Firefox flaws exists, but no in-the-wild exploitation has been observed.

Vulnerabilities

The ColdFusion security defects could allow attackers to execute arbitrary code or elevate their privileges.

Vulnerabilities

The flaws can be exploited for authentication bypass, remote code execution, privilege escalation, and directory traversal.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version