← CIO Briefings · Critical Impact ACTION REQUIRED

CRITICAL: Windows Netlogon CVE-2026-41089 — Unauthenticated Domain Controller RCE, Active Exploitation Confirmed

CVE-2026-41089 (CVSS 9.8) allows an unauthenticated attacker to execute code as SYSTEM on Windows domain controllers via a stack overflow in the Netlogon service. Belgium's CCB confirmed active exploitation on 29 May. A successful exploit provides full Active Directory domain compromise. Patch all domain controllers immediately.

2 min read

Situation

A critical vulnerability in the Windows Netlogon Remote Protocol allows an unauthenticated attacker with network access to a domain controller to execute arbitrary code with SYSTEM (highest) privileges. No credentials or user interaction are required. A working proof-of-concept exploit is publicly available, and Belgium’s national cybersecurity authority confirmed active exploitation on 29 May 2026.

This is a complete Active Directory compromise vector. Domain controllers are the authentication backbone of Windows enterprise environments. SYSTEM-level access to a domain controller provides access to all domain credentials, enables creation of persistent backdoor accounts, and allows authentication as any user in the domain.

Business Impact

Successful exploitation by an adversary results in:

  • Complete Active Directory domain compromise — all user accounts, service accounts, and administrative credentials are accessible
  • Ransomware deployment capability — adversaries with domain admin can deploy ransomware to all domain-joined systems simultaneously
  • Data exfiltration access — domain admin credentials enable access to any file share, database, or application integrated with Active Directory
  • Persistent access — attackers can create domain admin accounts and Kerberos backdoors that survive subsequent password resets

All Windows enterprise environments with Active Directory are affected regardless of industry sector.

Required Actions

Immediately (within 24 hours):

  1. Apply the Microsoft security update for CVE-2026-41089 to all domain controllers via Windows Update or WSUS. Prioritise internet-accessible and DMZ domain controllers first.
  2. Verify domain controller network access controls: TCP 445 (SMB/Netlogon) to domain controllers should be restricted to internal domain-joined hosts, not accessible from untrusted network segments or the internet.
  3. After patching, review Domain Admins group membership for unexpected accounts.

Investigation for exposed environments:

If domain controllers were accessible from untrusted networks (internet, guest network, cloud-hosted segments) prior to patching, conduct a post-exploitation investigation:

  • Review DC event logs for authentication events from unexpected sources
  • Check for new privileged account creation during the exposure window
  • Consider engaging incident response support for high-value environments

Timeline

  • CVE-2026-41089 patched (Microsoft security update): [May 2026 Patch Tuesday cycle]
  • Public PoC exploit released: ~May 20–25 2026
  • Active exploitation confirmed (CCB alert): May 29 2026
  • Your patch window: Close immediately