Belgium’s Centre for Cybersecurity (CCB) issued an urgent alert on June 1, 2026, confirming that CVE-2026-41089 — a CVSS 9.8 stack-based buffer overflow in Windows Netlogon — is being actively exploited in the wild. The flaw allows an unauthenticated attacker to send a specially crafted network request to a Windows domain controller and execute arbitrary code without requiring any prior credentials.
CVE-2026-41089 Attack Path: Unauthenticated RCE on Windows Domain Controllers
Windows Netlogon is a core authentication service present in every Active Directory domain environment, making exploitation paths extraordinarily broad. Microsoft addressed the vulnerability in the May 2026 Patch Tuesday security updates, but the CCB alert confirms that unpatched systems remain widespread and under active attack. The flaw requires no account on the targeted system — any exposed domain controller on a network is a viable target.
Why CVE-2026-41089’s CVSS 9.8 Score Reflects Enterprise-Wide Risk
All supported Windows Server versions are affected: Windows Server 2016, 2019, 2022, and 2025. The CVSS 9.8 score reflects a network-accessible attack vector combined with no required privileges, no user interaction, and the potential for complete system compromise. Domain controllers represent the highest-value targets in any Windows enterprise environment — a compromised domain controller typically means an attacker holds the keys to the entire domain, including all user accounts, policy configurations, and authentication infrastructure.
ZeroLogon Precedent and What It Means for CVE-2026-41089 Timelines
Netlogon has drawn attacker attention before. In 2020, CVE-2020-1472 — ZeroLogon — exploited a cryptographic weakness in Netlogon’s authentication to allow attackers to reset domain controller machine account passwords and gain full domain control. Ransomware operators and nation-state actors weaponized ZeroLogon within days of public disclosure. The CCB’s decision to issue a standalone urgent alert for CVE-2026-41089 reflects awareness of that pattern and the speed at which Netlogon vulnerabilities move from disclosure to active exploitation.
CCB Directive and Patch Urgency for Windows Server Administrators
The CCB has not publicly attributed CVE-2026-41089 exploitation to a specific threat actor or group. Its guidance is unambiguous: apply the May 2026 Patch Tuesday updates “as quickly as possible.” Organizations that have not yet applied May Patch Tuesday updates — whether due to change management processes, compatibility testing, or resource constraints — should treat CVE-2026-41089 as justifying emergency patching given the unauthenticated attack vector and the critical role domain controllers play across enterprise infrastructure.
