Active exploitation of CVE-2026-41089, a critical remote code execution vulnerability in Windows Netlogon, was confirmed in the wild on May 29, 2026. On June 1, Belgium’s Centre for Cybersecurity (CCB) issued a public warning to organisations operating Windows domain infrastructure across Europe. The flaw carries a CVSS score of 9.8 and requires no authentication, no local network access, and no user interaction to exploit. A single malformed network request, sent to any domain controller reachable on the network, is sufficient to achieve SYSTEM-level remote code execution.

What the vulnerability is

Netlogon is the Windows service and protocol that handles authentication and trust relationships within an Active Directory domain. Every organisation running a Windows domain, at every size from small businesses to large enterprises and government agencies, relies on Netlogon for core identity and access functions.

CVE-2026-41089 is a stack-based buffer overflow in the Netlogon service. When a domain controller processes a specially crafted network request, it writes data beyond the boundaries of a fixed-size stack buffer, overwriting adjacent memory and allowing an attacker to redirect execution to arbitrary code. The vulnerability affects Windows Server 2012 R2 through Windows Server 2025, meaning every supported version of Windows Server is in scope.

Microsoft patched the vulnerability on May 12, 2026, during the May Patch Tuesday cycle. The company’s own Windows Attack Research and Protection (WARP) team discovered and reported the flaw internally. Confirmation of active exploitation in the wild came seventeen days later.

The blast radius of a domain controller compromise

The specific risk of a domain controller compromise goes significantly beyond what a typical server compromise represents. A domain controller holds the Active Directory database, which contains every user account, computer account, group membership, and group policy object in the domain. An attacker with SYSTEM-level code execution on a domain controller can:

• Extract all password hashes from the Active Directory database using standard tooling, enabling offline cracking or pass-the-hash attacks against every account in the domain
• Create new privileged accounts that persist after the initial access vector is patched
• Modify group policy objects to push malicious configurations to every domain-joined computer
• Issue forged Kerberos tickets (golden ticket attacks) that grant persistent authentication bypass for months
• Pivot laterally across every system in the domain without triggering further authentication prompts

This is why the Belgium CCB warning specifically characterised CVE-2026-41089 as requiring urgent response rather than routine patch scheduling.

European context: NIS2 and GDPR obligations

For European organisations, the CCB advisory adds a regulatory dimension to a technical one. Under NIS2, organisations in sectors classified as essential or important are required to take prompt action when vulnerabilities affecting critical systems are publicly documented and under active exploitation. A domain controller is not a peripheral system: it sits at the centre of identity, access control, and policy enforcement for the entire Windows estate.

Under GDPR Article 32, the obligation to implement appropriate security measures is continuous and risk-proportionate. A known, remotely exploitable vulnerability on a domain controller – confirmed under active exploitation by a national cybersecurity authority – is precisely the scenario that Article 32 is designed to address. Organisations that delay patching past a reasonable timeframe face the risk of being found in breach of their Article 32 obligations in the event of a subsequent incident.

Immediate actions for infrastructure teams

Patch immediately. The May 12 Patch Tuesday update addresses CVE-2026-41089. If your organisation follows a delayed patch deployment cycle for stability reasons, domain controllers should be treated as an exception given the active exploitation status. Patch them ahead of the standard schedule.

Prioritise reachable domain controllers. Assess which of your domain controllers are reachable from untrusted network segments. Domain controllers should not be directly accessible from the internet or from general user VLANs. If they are, firewall rules restricting inbound Netlogon RPC access to authorised source addresses represent an immediate risk reduction step that can be implemented while patching proceeds.

Enforce MFA for administrator sessions. The CCB advisory specifically recommends MFA for all administrator sessions on domain infrastructure. A compromised domain controller that also serves as the authentication gate for administrator access compounds the blast radius significantly. FIDO2-based MFA removes the password hash from the authentication exchange entirely, making post-compromise lateral movement harder even after a successful exploitation.

Review Netlogon activity logs. Anomalous Netlogon RPC traffic, particularly connection attempts from unexpected source addresses, may indicate scanning or exploitation attempts in progress. Log forwarding to a SIEM with a detection rule for unusual Netlogon source IPs should be enabled if it is not already.

Run a domain privilege audit. If you have any reason to suspect that a domain controller may have been accessed before you became aware of this vulnerability, a privilege audit – checking for new accounts, unexpected group policy changes, and modified Kerberos ticket lifetimes – is warranted before concluding that the environment is clean.

If you need help verifying patch status across your Windows Server estate, implementing network segmentation for domain controllers, configuring detection rules for Netlogon exploitation attempts, or assessing your Active Directory posture against current threats, contact Excello Digital. We help European organisations protect the infrastructure that their entire identity and access model depends on.