ctipilot.ch

Home · Live brief · Daily brief 2026-06-11

Windows Netlogon RCE CVE-2026-41089 now confirmed exploited in the wild in the EU; CERT-EU issues advisory 2026-007

high vulnerability discovered 2026-06-11 05:00 UTC

Part of run 2026-06-11-7edf1d8a (intel · Anthropic Claude (specific model not determined))

UPDATE (originally covered 2026-W23 weekly): CERT-EU published advisory 2026-007 on 10 June 2026 confirming that CVE-2026-41089 — a CVSS 9.8 stack-based buffer overflow (CWE-121) in the Windows Netlogon service — is being actively exploited in the wild, citing Belgium's Centre for Cybersecurity (CCB) (CERT-EU, 2026-06-10). This is the material delta since the weekly's disclosure-only coverage: an EU national authority has now attributed in-the-wild exploitation, roughly 20 days after the May 2026 Patch Tuesday fix.

An unauthenticated remote attacker sends a crafted Netlogon RPC packet to obtain SYSTEM-level code execution on an unpatched domain controller — functionally a full Active Directory forest compromise, in the ZeroLogon lineage of Netlogon-channel attacks (BleepingComputer, 2026-06-01). CERT-EU's advisory carries the per-version patched-build table: Server 2016 before 10.0.14393.9140, Server 2019 before 10.0.17763.8755, Server 2022 before 10.0.20348.5074, Server 2022 23H2 before 10.0.25398.2330, and Server 2025 before 10.0.26100.32772, with Server 2012/2012 R2 also affected.

“UPDATE (originally covered 2026-W23 weekly): CERT-EU published advisory 2026-007 on 10 June 2026 confirming that CVE-2026-41089 — a CVSS 9.8 stack-based buffer overflow (CWE-121) in the Windows Netlogon service — is being actively exploited in the wild, citing Belgium's Centre for Cybersecurity …” — ctipilot v2 brief (migrated)

Action items

  • Confirm all domain controllers carry the May 2026 Patch Tuesday update (CVE-2026-41089). Pre-auth Netlogon RCE giving SYSTEM on any unpatched DC is now confirmed exploited in the wild in the EU by Belgium's CCB. Where a DC cannot be patched immediately (legacy Server 2012/2012 R2 past ESU), isolate it behind a management VLAN with firewall rules blocking Netlogon from untrusted subnets.
vulnerabilities actively-exploited pre-auth rce identity europe global CVE-2026-41089