UPDATE: Windows Netlogon RCE CVE-2026-41089 now confirmed exploited in the wild in the EU; CERT-EU issues advisory 2026-007

UPDATE (originally covered 2026-W23 weekly): CERT-EU published advisory 2026-007 on 10 June 2026 confirming that CVE-2026-41089 — a CVSS 9.8 stack-based buffer overflow (CWE-121) in the Windows Netlogon service — is being actively exploited in the wild, citing Belgium's Centre for Cybersecurity (CCB) (CERT-EU, 2026-06-10). This is the material delta since the weekly's disclosure-only coverage: an EU national authority has now attributed in-the-wild exploitation, roughly 20 days after the May 2026 Patch Tuesday fix.

An unauthenticated remote attacker sends a crafted Netlogon RPC packet to obtain SYSTEM-level code execution on an unpatched domain controller — functionally a full Active Directory forest compromise, in the ZeroLogon lineage of Netlogon-channel attacks (BleepingComputer, 2026-06-01). CERT-EU's advisory carries the per-version patched-build table: Server 2016 before 10.0.14393.9140, Server 2019 before 10.0.17763.8755, Server 2022 before 10.0.20348.5074, Server 2022 23H2 before 10.0.25398.2330, and Server 2025 before 10.0.26100.32772, with Server 2012/2012 R2 also affected.