CVE-2026-41089: the Windows Netlogon RCE you need to patch before the weekend
A stack-based buffer overflow in Windows Netlogon is being actively exploited in the wild. The vulnerability, CVE-2026-41089, carries a CVSS score of 9.8 and affects every Windows Server version configured as a domain controller. Belgium's Centre for Cybersecurity (CCB) issued an active exploitation alert on May 29; Help Net Security, BleepingComputer, and SecurityWeek published coverage on June 1. Microsoft patched it in May Patch Tuesday but assessed it as "less likely to be exploited." That assessment was wrong.
What the vulnerability does
The flaw is a stack-based buffer overflow (CWE-121) in the Windows Netlogon Remote Protocol (MS-NRPC). An unauthenticated attacker sends a specially crafted RPC request to a domain controller over the network. The malformed request triggers the buffer overflow, and the attacker achieves remote code execution at SYSTEM level on the domain controller.
No credentials are required. No prior access is required. The attack path is: network access to the port range used by Netlogon RPC, send the crafted request, get SYSTEM on a domain controller.
The blast radius of a compromised domain controller is total. Whoever controls a domain controller controls every Windows machine in the domain: authentication, group policy, service accounts, and the entire Active Directory fabric. Researchers comparing this to Zerologon (CVE-2020-1472) are not exaggerating.
Who is affected
Every Windows Server version configured as a domain controller is affected: Windows Server 2012 R2, 2016, 2019, 2022, 2022 23H2, and 2025. The vulnerability was disclosed and patched in Microsoft's May 12, 2026 Patch Tuesday update. If your domain controllers have not been updated since May 12, they are vulnerable.
CVE-2026-41089 is not yet listed in the CISA Known Exploited Vulnerabilities catalog at time of writing, but the Belgium CCB advisory and confirmed active exploitation mean you should treat this with KEV-equivalent urgency.
What to do
Apply the May 2026 cumulative updates to all domain controllers. This is the fix. Nothing else replaces it.
If you cannot patch immediately: restrict network access to the RPC endpoint range used by Netlogon (dynamic RPC ports, TCP 49152 to 65535) from untrusted segments. This does not close the vulnerability but removes easy unauthenticated access. Enable extended Netlogon logging and monitor for anomalous authentication requests from unexpected sources.
Prioritize domain controllers that are reachable from a broad internal network or from external networks. Any domain controller reachable from a compromised workstation becomes the entry point to your entire domain.
Why the "less likely to be exploited" rating matters
Microsoft uses an Exploitability Index to signal post-disclosure exploitation likelihood. A "less likely" rating on a CVSS 9.8 Netlogon vulnerability created a false signal for patch prioritization. Organizations that triaged based on that index would have deprioritized May Patch Tuesday.
The lesson is not that Microsoft's ratings are unreliable in general. The lesson is that unauthenticated RCE on domain controllers is a category that warrants emergency treatment regardless of vendor exploitability signals. Domain controllers are the highest-value targets in a Windows environment. Treat them accordingly.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you want to talk through domain controller hardening or incident response.