Windows Netlogon CVE-2026-41089: One Packet to Your Domain Controller, Every Windows Server Since 2012

If an attacker can reach your domain controller over the network and run code on it, the conversation about your Active Directory is over. There is nothing left to defend, because the thing that decides who is trusted is now the thing the attacker controls. That is the situation CVE-2026-41089 creates, it affects every domain-joined Windows Server from 2012 through 2025, and the Centre for Cybersecurity Belgium confirmed on June 1, 2026 that it is being exploited in the wild.

CVE-2026-41089 is a stack-based buffer overflow in Netlogon — the protocol and service that handles authentication inside a Windows domain. An attacker sends a specially crafted network request to a server acting as a domain controller, overflows the stack, and can execute code over the network. CVSS 9.8. No authentication described in the public reporting. The blast radius is not a workstation or a single server; it is the domain. Compromise a DC and you can mint domain administrators, push Group Policy to every joined machine, and read the secret that backs every Kerberos ticket in the environment. This is the worst category of bug there is, on the worst possible box.

Patch is the only real fix, and Microsoft has shipped it. Test in a lab, then roll it to your domain controllers ahead of everything else you were planning to patch this month. A domain controller RCE under active exploitation jumps the queue past anything. There is no clever segmentation trick that makes an unpatched, reachable DC safe — segmentation buys you time and shrinks the attack surface, it does not close the hole.

While the patch rolls, shrink the surface. Netlogon RPC should not be reachable from your general user VLAN, your guest network, or anything an attacker is likely to land on first. Restrict Netlogon RPC so only authorized source addresses — other domain controllers and the systems that legitimately need it — can initiate those sessions. The single highest-value detection rule you can write today is also the simplest: any non-DC source initiating a Netlogon RPC session warrants immediate investigation. Domain controllers talk Netlogon to each other and to member servers in predictable patterns. A workstation suddenly opening Netlogon RPC to a DC is not normal, and on June 2026 it is a five-alarm event until proven otherwise.

The post-exploitation indicators are in your Windows Security event log, and they are worth pre-staging detections for right now. Watch for new domain administrator accounts — Event ID 4720 for the account creation paired with 4728 for the privileged group add, the two together being the signature of an attacker manufacturing themselves an admin. Watch for unexpected process execution under the SYSTEM account on a domain controller, Event ID 4688, because code running as SYSTEM on a DC that you cannot tie to a known process is the overflow paying out. Watch for Group Policy modifications that did not come through your change-management process, because GPO is how a single DC compromise becomes mass code execution across every machine in the domain. Force MFA on administrator sessions so a stolen credential is not a free pass even if one leaks.

We will say the honest thing here too, because it is the same lesson the NetScaler bug taught this week. This is a protocol-level flaw in a closed Microsoft service. It does not get farmed into a hundred GitHub proof-of-concept repositories the way a WordPress plugin bug does, which means a threat feed built on watching GitHub — ours included — is not where you will first hear about it. You hear about it from the vendor advisory and the national CERT, and then you confirm it against your own domain controller telemetry. A sensor pointed at public exploit code has a blind spot exactly the size of the exploits that never go public, and the operators who can weaponize a Netlogon overflow against a domain controller are not the kind who publish their work. Naming that blind spot is not a weakness in the program; refusing to name it would be.

The shape of this one is brutally simple. The box that decides who is trusted in your network can be made to run an attacker's code by a single packet, the bug reaches back to Server 2012, and it is being used right now. Patch the domain controllers first, restrict who can speak Netlogon to them, and put the 4720-plus-4728 and the SYSTEM-on-a-DC detections live before you do anything else today. If a DC is compromised, assume the whole domain is, rotate accordingly, and rebuild trust from the ground up — there is no partial-credit version of a domain controller you can no longer vouch for.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com