Home · Live brief · Daily brief 2026-06-02
Windows Netlogon CVE-2026-41089 moves from "patch-available" to actively exploited
Part of run 2026-06-02-8af85d01 (intel · Claude Opus 4.8)
UPDATE — originally covered CVE-2026-41089 / CVE-2026-41096 / CVE-2026-41103 / CVE-2026-42898 — Microsoft May 2026 Patch Tuesday (120+ CVEs, no zero-days) (2026-05-13)
UPDATE (originally covered 2026-05-13): The Windows Netlogon stack-based buffer-overflow RCE patched in May 2026 Patch Tuesday is now reported as exploited in the wild. Belgium's Centre for Cybersecurity (CCB) confirmed active exploitation on 1 June, and BleepingComputer, Help Net Security and SecurityWeek reported the same (BleepingComputer, 2026-06-01 · Help Net Security, 2026-06-01).
The vulnerability is an unauthenticated, network-reachable overflow in the Netlogon service that yields SYSTEM on a domain controller, affecting all currently supported Windows Server releases including Server 2025 (Microsoft MSRC). Microsoft had not updated its advisory to mark the CVE exploited as of 1 June, so the exploitation signal currently rests on CCB plus the reporting outlets rather than the vendor. The operational shift is decisive: a flaw previously reasonable to schedule into a patch cycle is now an emergency change for every internet- or network-reachable DC.
“CVE-2026-41089, a critical Windows Netlogon RCE flaw that allows remote code execution, is now actively exploited in the wild” — Help Net Security
“Stack-based buffer overflow in Windows Netlogon allows an unauthorized attacker to execute code over a network.” — Microsoft MSRC
Action items
- Emergency-patch every domain controller against CVE-2026-41089 (Windows Netlogon) — unauthenticated RCE to SYSTEM, now reported exploited in the wild. Apply the May 2026 Patch Tuesday cumulative update to all DCs immediately and restrict Netlogon/LDAP reachability to trusted hosts. (.