CVE-2026-41089 — Windows Netlogon: pre-auth SYSTEM RCE on domain controllers, actively exploited

If you did nothing this week: pre-auth remote-code execution as SYSTEM on every unpatched domain controller in your forest. Belgium's CCB confirmed active exploitation on 1 June. The May Patch Tuesday fix has been available since 13 May.

CVE-2026-41089 (CVSS 9.8) is a stack-based buffer overflow in the Windows Netlogon service (MS-NRPC), first covered as an emergency action on 2 June (daily 2026-06-02). A crafted NRPC request to a domain controller triggers a memory-corruption condition before any credential exchange, allowing an unauthenticated network attacker to execute code as SYSTEM (Microsoft MSRC; BleepingComputer, 2026-06-01). All currently supported Windows Server releases including Server 2025 are affected. Belgium's Centre for Cybersecurity (CCB) confirmed active exploitation; at the time of the daily brief Microsoft had not yet updated its advisory to reflect it.

The operational priority here is the target class — domain controllers — and the fact that Netlogon is necessarily reachable from every domain-joined machine in the estate. An attacker who has compromised any domain-joined workstation can move laterally to a DC without credentials if the patch has not been applied. Detection concepts: anomalous NRPC session counts from non-DC source addresses; Windows Security EID 4625 (authentication failures) spikes on DCs correlated with unexpected source IPs; network-layer alerts on NRPC/RPC-over-named-pipe from workstation segments. Patch immediately. If patching is delayed, restrict Netlogon/LDAP exposure to trusted hosts at the network layer.