7 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
CVE-2026-41089 is a critical remote code execution vulnerability affecting Microsoft Windows Netlogon.
The vulnerability is caused by a stack-based buffer overflow condition within the Netlogon service. An unauthenticated attacker may exploit the flaw remotely over the network to execute arbitrary code on vulnerable Windows Server systems.
Successful exploitation could allow complete compromise of affected servers, including unauthorized access to sensitive data, modification of system configurations, disruption of authentication infrastructure, and potential domain-wide impact.
The Centre for Cybersecurity Belgium (CCB) reported active exploitation of this vulnerability in the wild.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Windows Netlogon Remote Code Execution Vulnerability
Identifier: CVE-2026-41089
PoC or Exploitation: The Centre for Cybersecurity Belgium (CCB) reported that CVE-2026-41089 is actively exploited in the wild.
CVSS Score: 9.8 (Critical, CVSS v3.1)
Update / Patch:
Microsoft has released security updates addressing this vulnerability as part of the May 2026 security updates.
Affected platforms include:
- Windows Server 2016 prior to 10.0.14393.9140
- Windows Server 2019 prior to 10.0.17763.8755
- Windows Server 2022 prior to 10.0.20348.5074
- Windows Server 2022 23H2 prior to 10.0.25398.2330
- Windows Server 2025 prior to 10.0.26100.32772
Fixed versions include:
- Windows Server 2016 version 10.0.14393.9140 or later
- Windows Server 2019 version 10.0.17763.8755 or later
- Windows Server 2022 version 10.0.20348.5074 or later
- Windows Server 2022 23H2 version 10.0.25398.2330 or later
- Windows Server 2025 version 10.0.26100.32772 or later
Microsoft advisory:
Description:
CVE-2026-41089 is a remote code execution vulnerability affecting Microsoft Windows Netlogon. The vulnerability is caused by a stack-based buffer overflow condition within the Netlogon service.
An unauthenticated attacker could exploit the vulnerability over the network to execute arbitrary code on a vulnerable system. Successful exploitation could allow complete compromise of affected Windows Server systems, including unauthorized access to sensitive data, modification of system configurations, and disruption of service availability.
Mitigation Recommendation:
Immediately apply the Microsoft May 2026 security updates to all affected Windows Server systems.
Prioritize patching internet-facing systems, domain controllers, and critical authentication infrastructure.
Review Windows event logs, security telemetry, and endpoint detection alerts for suspicious Netlogon-related activity and signs of unauthorized access.
Verify that all domain controllers and servers are running supported and patched versions of Windows.
