Critical Windows Netlogon RCE (CVE‑2026‑41089) Actively Exploited, Threatening Domain Controllers
What Happened – The Centre for Cybersecurity Belgium (CCB) confirmed that threat actors are exploiting CVE‑2026‑41089, a stack‑based buffer overflow in the Windows Netlogon service that enables unauthenticated remote code execution on domain controllers. Microsoft released a patch in the May 2026 Patch Tuesday, but attacks have been observed in the wild against unpatched servers.
Why It Matters for TPRM –
- A compromised domain controller can give attackers lateral movement across an entire corporate network, endangering all downstream SaaS and cloud services.
- Many third‑party vendors (MSPs, cloud hosts, ERP providers) rely on Windows Server for authentication; a breach can cascade through supply‑chain relationships.
- The vulnerability’s CVSS 3.1 score of 9.8 classifies it as critical, demanding immediate remediation to avoid service disruption or data loss.
Who Is Affected – Enterprises across finance, healthcare, SaaS, and cloud‑hosting sectors that operate Windows Server domain controllers.
Recommended Actions – Deploy the May 2026 security update on all Windows Server systems immediately; verify patch compliance via inventory tools; enable Netlogon signing and monitor for anomalous RPC traffic; isolate domain controllers on segmented networks; review third‑party contracts for patch‑management obligations.
Technical Notes – The exploit leverages a specially crafted network request to the Netlogon RPC interface, triggering a stack buffer overflow that executes attacker‑controlled code without prior credentials. CVE‑2026‑41089 affects all supported Windows Server releases, including Windows Server 2025. CVSS 3.1: 9.8. Source: BleepingComputer