By ByteBot
A zero-click, unauthenticated remote code execution vulnerability in the Windows Netlogon service is being actively exploited in the wild. CVE-2026-41089 carries a CVSS score of 9.8 and targets domain controllers — the servers that hold credentials, group policies, and authentication tokens for every user in a Windows environment. Microsoft patched it on May 12. Attackers were in unpatched systems by May 13. If your Windows Server domain controllers are not running the May 2026 cumulative update, stop reading and go patch them now.
One Packet, SYSTEM on Your Domain Controller
The vulnerability is a stack-based buffer overflow (CWE-121) in the Windows Netlogon Remote Protocol (MS-NRPC) packet handler. A malformed length field causes the service to write beyond its 528-byte stack buffer, overwriting the return address and handing the attacker arbitrary code execution as SYSTEM.
What makes this especially dangerous is the attack path: an unauthenticated attacker sends a single crafted CLDAP UDP packet to port 389 on a reachable domain controller. No account needed. No phishing link. No user to trick. Just a network path and an unpatched server.
SYSTEM privileges on a domain controller means Active Directory is compromised: every user account, every group policy, every authentication credential. From there, attackers can forge Kerberos tickets (Golden Ticket attacks), reset passwords, create backdoor admin accounts, and maintain persistent access even after the DC is eventually patched. The blast radius from a single compromised DC touches every device in the domain.
From “Less Likely to Exploit” to Mass Exploitation in Two Weeks
Microsoft’s initial rating classified CVE-2026-41089 as “Exploitation Less Likely.” That rating lasted roughly 12 hours. CrowdStrike observed exploit attempts in the wild by 06:00 UTC on May 13 — less than 24 hours after the patch dropped — from IP addresses associated with a known Chinese APT group.
Two weeks later, on May 29, Belgium’s Centre for Cybersecurity (CCB) issued a standalone urgent advisory confirming mass exploitation. National CERTs rarely single out individual CVEs unless the threat is concrete and immediate. By June 1, BleepingComputer and Help Net Security confirmed the exploitation was widespread. Three weeks in, organizations without the patch are being actively hit.
Microsoft’s “exploitation less likely” designation on a CVSS 9.8 zero-click Netlogon flaw was always optimistic. On high-value targets like domain controllers — the crown jewels of enterprise infrastructure — the assumption should always be “exploitation imminent.”
How to Verify and Apply the Fix
The fix is in the May 2026 cumulative update. Check your current build number against the minimum patched versions:
- Windows Server 2016: build 10.0.14393.9140 or later
- Windows Server 2019: build 10.0.17763.8755 or later
- Windows Server 2022: build 10.0.20348.5074 or later
- Windows Server 2022 23H2: build 10.0.25398.2330 or later
- Windows Server 2025: build 10.0.26100.32772 or later
Verify your current build in PowerShell:
[System.Environment]::OSVersion.VersionIf you cannot patch immediately, restrict inbound TCP 445 to domain controllers from non-DC subnets using Windows Firewall host-based rules, and block UDP 389 from non-DC sources. Treat this as a 24-hour bridge control only — network restriction is not a fix.
This Is the Netlogon Pattern
Zerologon (CVE-2020-1472) was the last time Netlogon made headlines. That flaw used a broken cryptographic implementation instead of a buffer overflow, but the target and the outcome were identical: unauthenticated domain controller compromise. Ransomware operators integrated Zerologon into active campaigns within days of the first public proof-of-concept.
CVE-2026-41089 is in the same category. The mechanism differs, the stakes do not. The window between disclosure and exploitation is now measured in hours, not weeks. While the patch exists, many organizations are still running on the Patch Tuesday from two months ago.
The deeper lesson here is not just about this specific CVE: domain controllers should not be reachable from every workstation subnet, VPN pool, and contractor network in the first place. Segmenting DC access — restricting who can initiate Netlogon RPC connections to begin with — reduces the exposure surface before, during, and after individual vulnerabilities are disclosed. Most organizations have never audited this.
Patch your domain controllers. Then take an hour to audit who can reach them over port 445 and 389. The next Netlogon CVE is not a hypothetical.
