Critical Windows Netlogon RCE Flaw Exploited in Attacks
The Centre for Cybersecurity Belgium (CCB) has warned that threat actors are now exploiting a recently patched critical Windows Netlogon vulnerability in attacks. The vulnerability, tracked as CVE-2026-41089, is a stack-based buffer overflow that allows attackers without privileges to gain remote code execution on targeted domain controllers.
What is Netlogon?
Netlogon is a remote procedure call (RPC) interface and a core Microsoft Windows Server background service that authenticates services and users on Windows domain-based networks. Microsoft patched this vulnerability during the May 2026 Patch Tuesday, describing it as a critical flaw that could allow attackers to run code on the affected system without needing to sign in or have prior access.
CVE-2026-41089 impacts all currently supported Windows Server versions, including the latest release, Windows Server 2025. According to a security advisory published by Microsoft on May 12, the vulnerability was discovered by Windows Attack Research & Protection (WARP), an internal offensive cybersecurity and engineering research team at Microsoft.
Active Exploitation Alert
On Friday, Belgium's national cybersecurity authority (CCB) warned that attackers are now actively exploiting the CVE-2026-41089 security flaw in the wild and urged admins to immediately patch vulnerable servers. The CCB tweeted,
CVE-2026-41089 in #Windows #Netlogon is now actively #exploited in the wild and could lead to #RCE. CVSS(3.1): 9.8. Patch as quickly as possible.However, the CCB didn't provide further details on these ongoing attacks and didn't respond to a request for more information.
Microsoft has yet to update its advisory, and a company spokesperson didn't reply to an email requesting confirmation that CVE-2026-41089 is now actively exploited. This is not the first time Microsoft has dealt with zero-day vulnerabilities in recent months.
Recent Zero-Day Vulnerabilities
Two weeks ago, Microsoft shared mitigation measures for YellowKey (CVE-2026-45585), a Windows BitLocker zero-day vulnerability that grants access to protected drives. This vulnerability was described as a backdoor by anonymous security researcher 'Nightmare Eclipse,' who also disclosed it and published a proof-of-concept (PoC) exploit.
Over the past several months, Nightmare Eclipse also disclosed the BlueHammer (CVE-2026-33825) and RedSun (CVE-2026-41091) privilege escalation zero-day flaws, both of which are now being exploited in attacks. Additionally, Nightmare Eclipse disclosed the GreenPlasma and MiniPlasma zero-day privilege escalation flaws that provide SYSTEM privileges, and UnDefend (CVE-2026-45498), another zero-day that attackers with standard user permissions can exploit to block Microsoft Defender definition updates.
Reaction from Microsoft
Initially, Microsoft reacted to Nightmare Eclipse with thinly veiled threats of legal action, followed by a tweet saying that the company
will work with law enforcement as appropriatewhen
an individual breaks the law and engages in malicious activity causing real harm to our customers.
Webinar: Network Incident Response
For IT teams responsible for managing enterprise infrastructure, a webinar on June 2 titled From alert to resolution: Fixing the gaps in network incident response will explore how automation and intelligent workflows can help teams investigate alerts, coordinate response efforts, and accelerate resolution during network incidents and security events.
The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold. This guide covers the 6 surfaces you actually need to validate.
Source: BleepingComputer