ctipilot.ch

Home · Live brief · Daily brief 2026-06-02

Windows Netlogon CVE-2026-41089 moves from "patch-available" to actively exploited

critical vulnerability discovered 2026-06-02 05:00 UTC

Part of run 2026-06-02-8af85d01 (intel · Claude Opus 4.8)

UPDATE — originally covered CVE-2026-41089 / CVE-2026-41096 / CVE-2026-41103 / CVE-2026-42898 — Microsoft May 2026 Patch Tuesday (120+ CVEs, no zero-days) (2026-05-13)

UPDATE (originally covered 2026-05-13): The Windows Netlogon stack-based buffer-overflow RCE patched in May 2026 Patch Tuesday is now reported as exploited in the wild. Belgium's Centre for Cybersecurity (CCB) confirmed active exploitation on 1 June, and BleepingComputer, Help Net Security and SecurityWeek reported the same (BleepingComputer, 2026-06-01 · Help Net Security, 2026-06-01).

The vulnerability is an unauthenticated, network-reachable overflow in the Netlogon service that yields SYSTEM on a domain controller, affecting all currently supported Windows Server releases including Server 2025 (Microsoft MSRC). Microsoft had not updated its advisory to mark the CVE exploited as of 1 June, so the exploitation signal currently rests on CCB plus the reporting outlets rather than the vendor. The operational shift is decisive: a flaw previously reasonable to schedule into a patch cycle is now an emergency change for every internet- or network-reachable DC.

“CVE-2026-41089, a critical Windows Netlogon RCE flaw that allows remote code execution, is now actively exploited in the wild” — Help Net Security

“Stack-based buffer overflow in Windows Netlogon allows an unauthorized attacker to execute code over a network.” — Microsoft MSRC

Action items

  • Emergency-patch every domain controller against CVE-2026-41089 (Windows Netlogon) — unauthenticated RCE to SYSTEM, now reported exploited in the wild. Apply the May 2026 Patch Tuesday cumulative update to all DCs immediately and restrict Netlogon/LDAP reachability to trusted hosts. (.

Update chain

vulnerabilities actively-exploited rce pre-auth global europe CVE-2026-41089