Windows Netlogon 0-Click RCE Vulnerability Now Actively Exploited In The Wild
CVE-2026-41089, a critical 0-click RCE in Windows Netlogon, is under active exploitation, enabling unauthenticated attackers to take over domain controllers with SYSTEM privileges.
A critical remote code execution vulnerability in Windows Netlogon, tracked as CVE-2026-41089, is now being actively exploited in the wild, according to urgent warnings from the Center for Cybersecurity Belgium (CCB) and Microsoft. The flaw, which carries a critical severity rating, allows an unauthenticated attacker to execute arbitrary code with SYSTEM-level privileges on a vulnerable domain controller simply by sending a specially crafted Netlogon network request. No user interaction, authentication, or local access is required, making it a zero-click vulnerability that can be weaponized at scale.
The vulnerability was disclosed and patched as part of Microsoft's May 2026 Patch Tuesday release, which addressed 118 flaws, 16 of which were classified as critical. CVE-2026-41089 affects all supported versions of Windows Server from 2012 onward, covering the vast majority of enterprise domain controllers. The Netlogon protocol is a core component of Active Directory authentication, used for secure channel establishment between domain members and domain controllers. Exploitation of this flaw could allow an attacker to completely compromise an organization's identity infrastructure, enabling lateral movement, malware deployment, and privilege escalation across the entire network.
According to the CCB advisory, the vulnerability is now being actively exploited, though specific threat actor attribution or campaign details have not been disclosed. The advisory urges organizations to treat patching as a top-tier emergency remediation item, prioritizing domain controllers that are exposed to untrusted or segmented networks. Given the critical role of Active Directory in enterprise security, a domain controller compromise via CVE-2026-41089 could enable attackers to create or modify accounts, disable security controls, and pivot to critical systems, effectively handing over control of the entire domain.
Microsoft has released security updates for all supported Windows Server versions, and the company has not published any workarounds or mitigations beyond applying the patch. The CCB recommends that organizations also enhance monitoring for suspicious Netlogon-related activity, including anomalous authentication behavior, unusual domain controller traffic, and signs of privilege escalation or new administrative account creation following Netlogon events. Early detection is critical to contain intrusions leveraging this vulnerability, especially given its active exploitation status.
The exploitation of CVE-2026-41089 follows a pattern of high-severity Netlogon vulnerabilities, most notably CVE-2020-1472 (Zerologon), which was also a critical privilege escalation flaw in the same protocol. Zerologon was widely exploited in the wild after its disclosure in 2020, leading to numerous ransomware attacks and domain compromises. The recurrence of a critical Netlogon vulnerability underscores the complexity and attack surface of the protocol, as well as the importance of rapid patch deployment for core infrastructure components.
Security teams should also revisit network segmentation and access controls around domain controllers, ensuring that only necessary systems and services can communicate with Netlogon over the relevant ports. Combined with rapid patch deployment and enhanced monitoring, these steps are essential to mitigate the immediate threat posed by CVE-2026-41089 in ongoing exploitation campaigns. Organizations that have not yet applied the May 2026 Patch Tuesday updates should treat this as an emergency and prioritize deployment immediately.