Opinion / Commentary

Netlogon Will Be Exploited Again. The Question Is Whether Your Architecture Has Changed Since Zerologon.

CVE-2026-41089 is the third significant Netlogon vulnerability with active exploitation in six years. Zerologon (CVE-2020-1472) prompted an industry-wide reckoning with domain controller exposure. If your DC network architecture has not materially changed since 2020, the reckoning was incomplete.

CipherWatch Editorial Β· Security Intelligence Platform
4 min read

Zerologon in 2020 (CVE-2020-1472, CVSS 10.0). A series of MS-NRPC vulnerabilities in 2022. And now CVE-2026-41089 in May 2026, CVSS 9.8, active exploitation confirmed.

The Netlogon service β€” the Windows Remote Protocol that domain controllers use for authentication β€” has been an active exploitation target for six years. Every time a significant vulnerability appears, there is an incident wave, a patching scramble, and a round of architecture discussions about whether domain controllers should be reachable from the places they currently are. And then, a year or two later, the next vulnerability appears and the cycle repeats.

The question worth asking in 2026, after the third major iteration of this cycle: is the architecture discussion producing different outcomes, or are organisations patching the specific vulnerability while leaving the underlying exposure in place?

What Zerologon Was Supposed to Change

Zerologon was a CVSS 10.0 vulnerability. It was being actively exploited by APT33 within weeks of disclosure. CISA issued an emergency directive requiring US federal agencies to patch within 24 hours. The security industry produced substantial analysis of why domain controllers were reachable from the places they were reachable from, and what a better architecture would look like.

The prescribed remediation went beyond patching: segment domain controllers onto isolated networks, restrict TCP 445 to authorised sources, implement the Microsoft Tier Model, deploy PAWs for privileged access, instrument DC logs for real-time detection.

Some organisations did this. Many organisations patched the vulnerability, made note of the architecture recommendations, and returned to operational priorities.

The Architectural Leverage That Remains

CVE-2026-41089 is exploitable only from networks that can reach domain controllers on TCP 445. This is not a subtle constraint β€” it is the complete boundary of the vulnerability’s scope. An attacker who cannot reach a DC on TCP 445 cannot exploit this vulnerability, regardless of how severe the CVSS score is.

In an environment where domain controllers are network-isolated to a dedicated subnet reachable only from management PAWs and domain-joined corporate hosts, CVE-2026-41089 is exploitable only by someone who has already compromised a corporate host or a PAW. That is still a risk, but it is a dramatically smaller attack surface than β€œall cloud workloads, all branch offices, all partner connections, and any other network segment that has inherited access to the corporate VLAN.”

The architecture question after patching CVE-2026-41089 is not complicated: which networks can currently reach your domain controllers on TCP 445, and which of those should be able to? The gap between those two answers is the residual exposure to the next Netlogon-class vulnerability.

The Patch Cycle Is Not Enough

Patching CVE-2026-41089 closes this vulnerability. It does nothing about CVE-202X-XXXXX, the next vulnerability in the Netlogon service that will be discovered and exploited in 2027 or 2028 or whenever the next researcher looks carefully at the MS-NRPC protocol implementation.

The Netlogon service has 30 years of implementation history. It handles authentication for the most critical servers in Windows environments. It is written in a language (C) that is prone to memory safety vulnerabilities. It has been audited by skilled researchers and has produced multiple critical CVEs. There is no credible argument that the next critical Netlogon CVE will not appear.

Organisations that complete the architecture remediation β€” segment DCs, restrict network access, implement PAWs, instrument monitoring β€” reduce their exposure to every future Netlogon vulnerability, not just this one. The investment is paid forward indefinitely.

Organisations that patch and move on will patch the next one too, and the one after that. The approach works, technically β€” eventually all the vulnerabilities get patched. But the exposure window between disclosure and patch, during which active exploitation is occurring, remains the same each time.

The Zerologon post-mortem was supposed to prompt the architectural change that makes this exposure window manageable. For organisations where it did not, CVE-2026-41089 is a second chance at the same decision.

Share this article