CVE-2026-41089 — Windows Netlogon: pre-auth SYSTEM RCE on domain controllers, confirmed exploited in the EU

If you did nothing this week: every unpatched domain controller in your forest is a pre-auth remote-code-execution target as SYSTEM, and the exploitation is no longer hypothetical — CERT-EU confirmed in-the-wild abuse in its jurisdiction this week.

CVE-2026-41089 is a CVSS 9.8 stack-based buffer overflow (CWE-121) in the Windows Netlogon RPC service. It was disclosed and patched in the May/June cycle and tracked in the W23 weekly as a disclosure-and-patch story. This week CERT-EU published advisory 2026-007 (10 June) confirming active exploitation against unpatched DCs in the EU (CERT-EU 2026-007; daily 06-11). A domain controller compromise is full-domain compromise: the entire identity plane is in scope.

Patch every domain controller now — DCs are the one asset class where "patch window" is not a negotiation. Where patching lags, restrict Netlogon RPC exposure at the network layer and hunt for anomalous pre-authentication RPC traffic to DCs and for new SYSTEM-context processes on those hosts.