UPDATE: Windows Netlogon CVE-2026-41089 moves from "patch-available" to actively exploited

UPDATE (originally covered 2026-05-13): The Windows Netlogon stack-based buffer-overflow RCE patched in May 2026 Patch Tuesday is now reported as exploited in the wild. Belgium's Centre for Cybersecurity (CCB) confirmed active exploitation on 1 June, and BleepingComputer, Help Net Security and SecurityWeek reported the same (BleepingComputer, 2026-06-01 · Help Net Security, 2026-06-01).

The vulnerability is an unauthenticated, network-reachable overflow in the Netlogon service that yields SYSTEM on a domain controller, affecting all currently supported Windows Server releases including Server 2025 (Microsoft MSRC). Microsoft had not updated its advisory to mark the CVE exploited as of 1 June, so the exploitation signal currently rests on CCB plus the reporting outlets rather than the vendor. The operational shift is decisive: a flaw previously reasonable to schedule into a patch cycle is now an emergency change for every internet- or network-reachable DC. See §0 for the immediate action.