Windows Netlogon 0-Click RCE Vulnerability Now Actively Exploited In The Wild
CVE-2026-41089, a critical 0-click RCE in Windows Netlogon, is under active exploitation, enabling unauthenticated attackers to take over domain controllers with SYSTEM privileges.

A critical remote code execution vulnerability in Windows Netlogon, tracked as CVE-2026-41089, is now being actively exploited in the wild, according to urgent warnings from the Center for Cybersecurity Belgium (CCB) and Microsoft. The flaw, which carries a critical severity rating, allows an unauthenticated attacker to execute arbitrary code with SYSTEM-level privileges on a vulnerable domain controller simply by sending a specially crafted Netlogon network request. No user interaction, authentication, or local access is required, making it a zero-click vulnerability that can be weaponized at scale.
The vulnerability was disclosed and patched as part of Microsoft's May 2026 Patch Tuesday release, which addressed 118 flaws, 16 of which were classified as critical. CVE-2026-41089 affects all supported versions of Windows Server from 2012 onward, covering the vast majority of enterprise domain controllers. The Netlogon protocol is a core component of Active Directory authentication, used for secure channel establishment between domain members and domain controllers. Exploitation of this flaw could allow an attacker to completely compromise an organization's identity infrastructure, enabling lateral movement, malware deployment, and privilege escalation across the entire network.
According to the CCB advisory, the vulnerability is now being actively exploited, though specific threat actor attribution or campaign details have not been disclosed. The advisory urges organizations to treat patching as a top-tier emergency remediation item, prioritizing domain controllers that are exposed to untrusted or segmented networks. Given the critical role of Active Directory in enterprise security, a domain controller compromise via CVE-2026-41089 could enable attackers to create or modify accounts, disable security controls, and pivot to critical systems, effectively handing over control of the entire domain.
Microsoft has released security updates for all supported Windows Server versions, and the company has not published any workarounds or mitigations beyond applying the patch. The CCB recommends that organizations also enhance monitoring for suspicious Netlogon-related activity, including anomalous authentication behavior, unusual domain controller traffic, and signs of privilege escalation or new administrative account creation following Netlogon events. Early detection is critical to contain intrusions leveraging this vulnerability, especially given its active exploitation status.
The exploitation of CVE-2026-41089 follows a pattern of high-severity Netlogon vulnerabilities, most notably CVE-2020-1472 (Zerologon), which was also a critical privilege escalation flaw in the same protocol. Zerologon was widely exploited in the wild after its disclosure in 2020, leading to numerous ransomware attacks and domain compromises. The recurrence of a critical Netlogon vulnerability underscores the complexity and attack surface of the protocol, as well as the importance of rapid patch deployment for core infrastructure components.
Security teams should also revisit network segmentation and access controls around domain controllers, ensuring that only necessary systems and services can communicate with Netlogon over the relevant ports. Combined with rapid patch deployment and enhanced monitoring, these steps are essential to mitigate the immediate threat posed by CVE-2026-41089 in ongoing exploitation campaigns. Organizations that have not yet applied the May 2026 Patch Tuesday updates should treat this as an emergency and prioritize deployment immediately.
Belgium's Centre for Cybersecurity (CCB) confirmed on Friday that CVE-2026-41089 is now under active exploitation, urging administrators to apply the May 2026 Patch Tuesday update immediately. The CCB's warning provides the first official confirmation of in-the-wild attacks, though no technical details about the campaigns have been disclosed. Microsoft has not yet updated its advisory to reflect active exploitation.
The Centre for Cybersecurity Belgium (CCB) has now publicly confirmed active exploitation of CVE-2026-41089, though it has not yet shared specific attack details. Microsoft had initially assessed the flaw as "less likely" to be exploited, but AI-enabled adversaries are accelerating the window between disclosure and weaponization. Acros Security has released micropatches for legacy Windows Server 2008 R2, 2012, and 2012 R2, while Jason Kikta of Automox warns that half-patched forests are indefensible and advises restricting Netlogon traffic at the network layer.
The Centre for Cybersecurity Belgium (CCB) has now confirmed active in-the-wild exploitation of CVE-2026-41089, warning that unauthenticated remote attackers can achieve arbitrary code execution with SYSTEM privileges by targeting Windows domain controllers. Although Microsoft flagged roughly a dozen other May 2026 Patch Tuesday bugs as likely to be exploited, CVE-2026-41089 was not among them, and Redmond has not yet updated its advisory to reflect the active attacks. SecurityWeek notes that the Netlogon service's history of critical flaws makes this a particularly urgent patching priority for organizations.