Skip to content
🌐 Network

Windows Netlogon CVE-2026-41089 (CVSS 9.8): Unauthenticated Domain Controller RCE Now Actively Exploited

Belgium's Centre for Cybersecurity (CCB) confirmed active exploitation of CVE-2026-41089 on 29 May — a stack-based buffer overflow in the Windows Netlogon Remote Protocol (MS-NRPC) that allows unauthenticated remote code execution on domain controllers. CVSS 9.8. A public PoC is available. Patch domain controllers as an emergency priority.

4 min read
#windows#netlogon#cve-2026-41089#domain-controller#rce#active-exploitation#active-directory#critical
Article network-security

Belgium’s Centre for Cybersecurity (CCB) issued an alert on 29 May confirming active exploitation of CVE-2026-41089, a stack-based buffer overflow in the Windows Netlogon Remote Protocol (MS-NRPC). The vulnerability enables an unauthenticated attacker with network access to a domain controller to achieve remote code execution with SYSTEM privileges — no credentials, no user interaction, no prior foothold required.

CVSS 9.8. A public proof-of-concept exploit is available. This is a critical priority for any organisation running Active Directory.

Vulnerability Details

CVE-2026-41089 is a stack-based buffer overflow in the NetrLogonSendToSam function of the Windows Netlogon Remote Protocol service (netlogon.dll). The Netlogon service handles domain authentication for Active Directory — it is present and listening on all Windows domain controllers, both primary and read-only.

The vulnerability exists in input validation for a parameter in the NetrLogonSendToSam RPC call. When a malformed request containing an oversized buffer is sent to the Netlogon service’s named pipe or TCP endpoint, the buffer overflows into adjacent stack memory, overwriting a return address. A carefully crafted overflow payload redirects execution to attacker-controlled code running as SYSTEM.

The attack requires:

  • Network access to TCP 445 (SMB, which hosts the Netlogon named pipe) or the Netlogon RPC port on the domain controller
  • No authentication credentials
  • No user interaction

TCP 445 to domain controllers is typically accessible from all machines in an Active Directory domain — every domain-joined workstation needs to reach its domain controllers on this port for normal domain operations.

Why This Is Particularly Severe

Domain controllers are the most critical servers in most Windows enterprise environments. SYSTEM-level code execution on a domain controller provides:

  • Credential extraction: The Domain Secrets (LSA secrets), Kerberos key material, and all domain account hashes (via NTDS.dit) are accessible from SYSTEM on a DC — this is a complete Active Directory domain compromise
  • Persistence: An attacker with DC-level SYSTEM access can create domain admin accounts, add backdoor Kerberos tickets (Golden Tickets), and establish persistence that survives subsequent credential resets
  • Lateral movement: With domain admin credentials extracted from the DC, an attacker can immediately authenticate as any domain user to any domain-joined system

A successful CVE-2026-41089 exploitation against a domain controller is equivalent to a full Active Directory domain compromise.

Exploitation Status

The CCB alert confirmed active exploitation as of 29 May. The exploitation targeting is currently described as opportunistic — attackers scanning for reachable domain controllers and exploiting unpatched instances — rather than targeting specific high-value organisations. This means the risk is proportional to the time to patch, not to the organisation’s specific threat profile.

The public PoC was released by security researcher “Chaotic Eclipse” on approximately 20–25 May (the same researcher who released MiniPlasma). The availability of a working PoC dramatically reduces the technical barrier for exploitation.

Affected Systems

All Windows Server versions acting as Active Directory Domain Controllers are affected:

  • Windows Server 2025 (fully patched prior to the CVE-2026-41089 patch)
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2 (ESU required)
  • Read-Only Domain Controllers (RODCs) are also affected — the vulnerability is in the Netlogon service, which runs on RODCs

Patch

The patch for CVE-2026-41089 is available via Windows Update as a security update (KB numbers will vary by Windows Server version). Apply via:

  • Windows Update on the domain controller
  • WSUS or SCCM for managed environments
  • Microsoft Update Catalog for manual download

For Server 2012 R2 under Extended Security Updates, confirm your ESU coverage and apply the update.

Immediate (within 24 hours):

  1. Apply the CVE-2026-41089 security update to all domain controllers — start with the FSMO role holders, then all remaining DCs
  2. Prioritise internet-facing DCs and DCs in DMZ or semi-trusted network segments
  3. After patching, run netstat -an | findstr ":445" and verify no unexpected established connections exist from external IP addresses

Network-level mitigations (while patching):

  • Block TCP 445 from untrusted networks to domain controllers at the perimeter and internal segment boundaries — DC SMB should only be reachable from domain-joined hosts on internal segments, not from DMZ, guest networks, or the internet
  • Netlogon RPC ports (typically dynamic in the 49152–65535 range) should similarly be restricted to internal trusted segments

Post-patch investigation:

  • Review DC security event logs (Event ID 4625, 4672, 4769) for the period of exposure for signs of exploitation
  • Run Get-ADUser -Filter * -Properties PasswordLastSet | Sort-Object PasswordLastSet to identify any new accounts created during the exposure window
  • Check for unexpected members of Domain Admins, Enterprise Admins, and Schema Admins groups

Share this article

Related Intelligence

🌐 Network

Windows DNS Client RCE CVE-2026-41096: Attacker-Controlled DNS Servers Can Trigger Memory Corruption on All Windows Versions

CVE-2026-41096 in the Windows DNS Client allows an attacker controlling a DNS server to send a crafted response that triggers memory corruption on any Windows system performing standard DNS resolution. No user interaction or authentication is required, and the flaw affects all supported Windows versions. Patch network-facing systems within 24 hours.

#windows +4
🌐 Network

Microsoft Bing Remote Code Execution via Deserialization — CVSS 10.0 Patch Now

A critical CVSS 10.0 unauthenticated RCE vulnerability in Microsoft Bing allows attackers to execute arbitrary code over the network via unsafe deserialization. Patched in April 2026 Patch Tuesday — update immediately.

#critical +4
🌐 Network

Wormable Windows TCP/IP Race Condition RCE (CVE-2026-33827) — IPv6-Enabled Networks Face EternalBlue-Class Propagation Risk

A race condition in the Windows TCP/IP stack allows unauthenticated remote code execution against systems with IPv6 or IPSec enabled, demonstrated at Pwn2Own 2026 and patched in April's Patch Tuesday. The vulnerability's wormable characteristics — no user interaction, no authentication, network-adjacent propagation — place it in the same risk category as EternalBlue for environments that have not applied the April update.

#windows +7